Windows Analysis Report
Payment Advice.exe

Overview

General Information

Sample name:	Payment Advice.exe
Analysis ID:	1528908
MD5:	959ff310cff226f065ec9692dd5b0852
SHA1:	7273bf0d8bcb9bf94fd5ad26d3973dcd6cf2b7bd
SHA256:	76d1094922df386d7078ab5c8b81fbff3644afd31aaceee935b60a85866b0162
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Contains functionality to detect sleep reduction / modifications

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Payment Advice.exe	Virustotal: Detection: 27%			Perma Link
Source: Payment Advice.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: Payment Advice.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Payment Advice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wextract.pdb source: svchost.exe, 00000002.00000003.71870710058.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71871216830.000000000323C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: svchost.exe, 00000002.00000003.71870710058.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71871216830.000000000323C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Advice.exe, 00000000.00000003.71525843604.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.71527256863.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71818688030.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71821569465.0000000003600000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.0000000004690000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71902519209.0000000004322000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71905407512.00000000044DE000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.00000000047BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Advice.exe, 00000000.00000003.71525843604.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.71527256863.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.71818688030.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71821569465.0000000003600000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.0000000004690000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71902519209.0000000004322000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71905407512.00000000044DE000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.00000000047BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: RAVCpl64.exe, 00000003.00000002.76603324600.000000000494C000.00000004.80000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73448050918.0000000004CBC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76615354295.000000001414C000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: RAVCpl64.exe, 00000003.00000002.76603324600.000000000494C000.00000004.80000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73448050918.0000000004CBC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76615354295.000000001414C000.00000004.00000001.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BD1F FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindClose,	0_2_0044BD1F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BD29 FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00475FE5
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BF8D FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then mov ebx, 00000004h

2_2_045A04DE

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: explorer.exe, 00000005.00000003.74150410272.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382747463.000000000DE94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000005.00000003.74150410272.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382747463.000000000DE94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000005.00000003.74150410272.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382747463.000000000DE94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000003.74152073022.0000000009D67000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009D67000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009D67000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlipY7
Source: explorer.exe, 00000005.00000000.73379124445.000000000AE40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.76596876834.0000000003800000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.76603892105.000000000A360000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000005.00000002.76601606406.0000000009DEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377572267.0000000009E6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000005.00000000.73378013198.000000000A018000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.000000000A018000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74149306061.000000000A018000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000005.00000000.73378013198.000000000A018000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.000000000A018000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74149306061.000000000A018000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/h
Source: explorer.exe, 00000005.00000002.76601606406.0000000009C70000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=912df6f3-e6f5-4400-ad10-c
Source: explorer.exe, 00000005.00000000.73381683797.000000000DE6B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76600120068.0000000005ABB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73374290015.0000000003839000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DC09251A71C5472DA2BDFD73DC109609&timeOut=5000&oc
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000000.73376202518.0000000005ABB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76600120068.0000000005ABB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svg
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyCloudyNight.pn
Source: explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyCloudyNight.sv
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.png
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.svg
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/Weather/W36_Most
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/WeatherInsight/W
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI-dark
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW-dark
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000005.00000002.76609689900.000000000DEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382891771.000000000DEFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comP
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA179X84.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1g7bhz.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1lLvot.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1nsFzx.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAUhLdx.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAY97Jf.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAaeOki.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyxkRJ.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1d0ujS.img
Source: explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=a7af015c-55f5-465b-b0e4-6fef
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000005.00000000.73385616150.0000000011710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76613192431.0000000011710000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com;
Source: explorer.exe, 00000005.00000000.73383273995.000000000E050000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76610169841.000000000E050000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comppS
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.glamour.com/story/shag-haircut-photos-products
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.instyle.com/hair/shag-haircut-face-shape
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/autos/other/24-used-sports-cars-that-are-notoriously-reliable-yet-crazy-ch
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/entertainment/news/james-earl-jones-dies-at-93-all-about-his-son-flynn/ar-
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/feed
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/i-asked-3-farmers-the-best-way-to-cook-zucchini-they-
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/2-egg-brands-have-been-recalled-due-to-a-serious-salmonella
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/beauty/40-shag-haircuts-to-inspire-your-next-salon-visit/ss-AA1p
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a33k6h
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a3oxnm
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a6qja2
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/18-everyday-household-items-that-are-surprisingly-va
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/retirement/a-youtuber-asked-a-group-of-americans-aged-70-to-80-what-
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/tyreek-hill-s-traffic-stop-shows-interactions-with-police-can-b
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/6-things-to-watch-for-when-kamala-harris-debates-donald-trum
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/chris-christie-former-trump-debate-coach-offers-key-pieces-o
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-spreads-outrageous-lie-about-haitian-immigrants/ar-
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/james-earl-jones-s-talents-went-far-far-beyond-his-magnificent-voi
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/trump-repeats-false-claims-that-children-are-undergoing-transgende
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/gaza-authorities-say-deadly-blasts-hit-humanitarian-zone/ar-AA1
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/nba/johnny-gaudreau-s-wife-reveals-in-eulogy-she-s-pregnant-expecti
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/nfl/49ers-win-over-jets-ends-with-final-score-that-s-never-been-see
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/news/the-bold-the-beautiful-young-and-the-restless-more-get-premiere-da
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Santa-Clara%2CCalifornia?loc=eyJsIjoiU2FudGEgQ2xhcmEiL
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Santa-Clara%2CCalifornia?loc=eyJsIjoiU2FudGEgQ2x

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00459FFF

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

0_2_00456354

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,

0_2_0047C08E

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Advice.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,	0_2_0047C08E
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004331D9 ClientToScreen,NtdllDialogWndProc_W,	0_2_004331D9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047E1FA NtdllDialogWndProc_W,	0_2_0047E1FA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0043323E NtdllDialogWndProc_W,	0_2_0043323E
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0046F2B0 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0046F2B0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0046F50B NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0046F50B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045058D GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_0045058D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00469681 PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00469681
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0046F749 NtdllDialogWndProc_W,	0_2_0046F749
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00447870 GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,	0_2_00447870
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044782B NtdllDialogWndProc_W,	0_2_0044782B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044096A NtdllDialogWndProc_W,	0_2_0044096A
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044796B GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,	0_2_0044796B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00440938 NtdllDialogWndProc_W,	0_2_00440938
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00469995 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_00469995
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044099C NtdllDialogWndProc_W,	0_2_0044099C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00440ADF NtdllDialogWndProc_W,	0_2_00440ADF
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00447A87 SendMessageW,NtdllDialogWndProc_W,	0_2_00447A87
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00447B15 NtdllDialogWndProc_W,	0_2_00447B15
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00440B39 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	0_2_00440B39
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00454C69 NtdllDialogWndProc_W,	0_2_00454C69
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00454C1B NtdllDialogWndProc_W,	0_2_00454C1B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00461EB0 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_00461EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C003 NtClose,	2_2_0042C003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038734E0 NtCreateMutant,LdrInitializeThunk,	2_2_038734E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BC0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03872BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872A80 NtClose,LdrInitializeThunk,	2_2_03872A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EB0 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03872EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874260 NtSetContextThread,	2_2_03874260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874570 NtSuspendThread,	2_2_03874570
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtCreateKey,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B90 NtFreeVirtualMemory,	2_2_03872B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryVirtualMemory,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B00 NtQueryValueKey,	2_2_03872B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B10 NtAllocateVirtualMemory,	2_2_03872B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B20 NtQueryInformationProcess,	2_2_03872B20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AA0 NtQueryInformationFile,	2_2_03872AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AC0 NtEnumerateValueKey,	2_2_03872AC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872A10 NtWriteFile,	2_2_03872A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038729D0 NtWaitForSingleObject,	2_2_038729D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038729F0 NtReadFile,	2_2_038729F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038738D0 NtGetContextThread,	2_2_038738D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtSetValueKey,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F00 NtCreateFile,	2_2_03872F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtOpenDirectoryObject,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtCreateProcessEx,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EC0 NtQuerySection,	2_2_03872EC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872ED0 NtResumeThread,	2_2_03872ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E00 NtQueueApcThread,	2_2_03872E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E50 NtCreateSection,	2_2_03872E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DA0 NtReadVirtualMemory,	2_2_03872DA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DC0 NtAdjustPrivilegesToken,	2_2_03872DC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D50 NtWriteVirtualMemory,	2_2_03872D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873C90 NtOpenThread,	2_2_03873C90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CD0 NtEnumerateKey,	2_2_03872CD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtDelayExecution,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C10 NtOpenProcess,	2_2_03872C10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C20 NtSetInformationFile,	2_2_03872C20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C30 NtMapViewOfSection,	2_2_03872C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873C30 NtOpenProcessToken,	2_2_03873C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C50 NtUnmapViewOfSection,	2_2_03872C50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B3619 NtSetContextThread,	2_2_045B3619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B3C5A NtResumeThread,	2_2_045B3C5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B393C NtSuspendThread,	2_2_045B393C

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00434D50: GetFullPathNameW,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_004461ED DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,746A5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_004461ED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004364AA

Detected potential crypto function

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F3658	0_2_044F3658
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417FA3	2_2_00417FA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040F813	2_2_0040F813
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029C0	2_2_004029C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004019DA	2_2_004019DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011E0	2_2_004011E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004019E0	2_2_004019E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041618E	2_2_0041618E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416193	2_2_00416193
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402216	2_2_00402216
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402220	2_2_00402220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FA33	2_2_0040FA33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DAAB	2_2_0040DAAB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DAB3	2_2_0040DAB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023D0	2_2_004023D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DBFB	2_2_0040DBFB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402CC0	2_2_00402CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042E623	2_2_0042E623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F70	2_2_00402F70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF330	2_2_038FF330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D2EC	2_2_0382D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390010E	2_2_0390010E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD130	2_2_038DD130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388717A	2_2_0388717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038300A0	2_2_038300A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B0D0	2_2_0384B0D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70F1	2_2_038F70F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE076	2_2_038EE076
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6757	2_2_038F6757
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842760	2_2_03842760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A760	2_2_0384A760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA6C0	2_2_038FA6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C6E0	2_2_0383C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B36EC	2_2_038B36EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF6F6	2_2_038FF6F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C600	2_2_0385C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ED646	2_2_038ED646
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864670	2_2_03864670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF5C9	2_2_038FF5C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F75C6	2_2_038F75C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A526	2_2_0390A526
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4BC0	2_2_038B4BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840B10	2_2_03840B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB2E	2_2_038FFB2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA89	2_2_038FFA89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FAA0	2_2_0385FAA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCA13	2_2_038FCA13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEA5B	2_2_038FEA5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FE9A6	2_2_038FE9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038859C0	2_2_038859C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856882	2_2_03856882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B98B2	2_2_038B98B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F18DA	2_2_038F18DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F78F3	2_2_038F78F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843800	2_2_03843800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E810	2_2_0386E810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03826868	2_2_03826868
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849870	2_2_03849870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B870	2_2_0385B870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF872	2_2_038FF872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEFBF	2_2_038FEFBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1FC6	2_2_038F1FC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CF00	2_2_0384CF00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF63	2_2_038FFF63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0EAD	2_2_038F0EAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841EB2	2_2_03841EB2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F9ED2	2_2_038F9ED2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832EE8	2_2_03832EE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860E50	2_2_03860E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0E6D	2_2_038E0E6D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852DB0	2_2_03852DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849DD0	2_2_03849DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DFDF4	2_2_038DFDF4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AD00	2_2_0383AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFD27	2_2_038FFD27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D4C	2_2_038F7D4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840D69	2_2_03840D69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D9C98	2_2_038D9C98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858CDF	2_2_03858CDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FCE0	2_2_0385FCE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390ACEB	2_2_0390ACEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830C12	2_2_03830C12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EEC4C	2_2_038EEC4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843C60	2_2_03843C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6C69	2_2_038F6C69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEC60	2_2_038FEC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B5414	2_2_045B5414
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AE483	2_2_045AE483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AE368	2_2_045AE368
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AE81C	2_2_045AE81C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AD888	2_2_045AD888
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045ACB13	2_2_045ACB13

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BEF10 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875050 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887BE4 appears 88 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B910 appears 266 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AE692 appears 79 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 0040E6D0 appears 35 times

Sample file is different than original file name gathered from version info

Source: Payment Advice.exe, 00000000.00000003.71527256863.0000000004BE3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000003.71524139618.0000000004D8D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice.exe

Uses 32bit PE files

Source: Payment Advice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Payment Advice.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9933401031783681

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/1@0/0

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464422
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0043614F FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Users\user\Desktop\Payment Advice.exe

File created: C:\Users\user\AppData\Local\Temp\cunili

Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment Advice.exe	Virustotal: Detection: 27%
Source: Payment Advice.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Payment Advice.exe

File read: C:\Users\user\Desktop\Payment Advice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: wextract.pdb source: svchost.exe, 00000002.00000003.71870710058.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71871216830.000000000323C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: svchost.exe, 00000002.00000003.71870710058.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71871216830.000000000323C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Advice.exe, 00000000.00000003.71525843604.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.71527256863.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71818688030.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71821569465.0000000003600000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.0000000004690000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71902519209.0000000004322000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71905407512.00000000044DE000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.00000000047BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Advice.exe, 00000000.00000003.71525843604.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.71527256863.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.71818688030.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71821569465.0000000003600000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.0000000004690000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71902519209.0000000004322000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71905407512.00000000044DE000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.00000000047BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: RAVCpl64.exe, 00000003.00000002.76603324600.000000000494C000.00000004.80000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73448050918.0000000004CBC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76615354295.000000001414C000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: RAVCpl64.exe, 00000003.00000002.76603324600.000000000494C000.00000004.80000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73448050918.0000000004CBC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76615354295.000000001414C000.00000004.00000001.00040000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004550C9 push ebp; retf	0_2_004550CA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004171D1 push ecx; ret	0_2_004171E4
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F3849 push ebp; iretd	0_2_044F384D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004031E0 push eax; ret	2_2_004031E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A2B1 push ds; ret	2_2_0041A2D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004083A5 push 00000072h; ret	2_2_00408433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415413 push 10CBE7A4h; retf	2_2_004154F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401EF2 push edi; retf	2_2_00401EF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038308CD push ecx; mov dword ptr [esp], ecx	2_2_038308D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A7486 push ebp; iretd	2_2_045A7495
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A44BC push eax; retf	2_2_045A44BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A50F9 push cs; ret	2_2_045A5107
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B5252 push eax; ret	2_2_045B5254
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A52A6 push esp; retf	2_2_045A52A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A9FBC push eax; ret	2_2_045A9FC7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A58FA push ebx; ret	2_2_045A5912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AA9CA push edx; iretd	2_2_045AA9D4

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004772DE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004375B0

Source: C:\Windows\SysWOW64\wextract.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00444078

0_2_00444078

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment Advice.exe	API/Special instruction interceptor: Address: 44F327C
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0D144
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB10594
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0FF74
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0D6C4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0D864
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0D004
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D144
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB10594
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D764
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D324
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D364
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D004
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0FF74
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D6C4
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D864

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03871763 rdtsc

2_2_03871763

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\wextract.exe	Window / User API: threadDelayed 9852	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Payment Advice.exe	API coverage: 3.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\wextract.exe TID: 6772	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe TID: 6772	Thread sleep time: -244000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe TID: 6772	Thread sleep count: 9852 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe TID: 6772	Thread sleep time: -19704000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\wextract.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wextract.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BD1F FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindClose,	0_2_0044BD1F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BD29 FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00475FE5
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BF8D FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74150410272.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DBCF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74150410272.000000000DBCF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382747463.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73381683797.000000000DBCF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03871763 rdtsc

2_2_03871763

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417143 LdrLoadDll,

2_2_00417143

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D6D0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F34E8 mov eax, dword ptr fs:[00000030h]	0_2_044F34E8
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F3548 mov eax, dword ptr fs:[00000030h]	0_2_044F3548
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F1EB8 mov eax, dword ptr fs:[00000030h]	0_2_044F1EB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF38A mov eax, dword ptr fs:[00000030h]	2_2_038EF38A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038393A6 mov eax, dword ptr fs:[00000030h]	2_2_038393A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038393A6 mov eax, dword ptr fs:[00000030h]	2_2_038393A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC3B0 mov eax, dword ptr fs:[00000030h]	2_2_038AC3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C3C7 mov eax, dword ptr fs:[00000030h]	2_2_0382C3C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038363CB mov eax, dword ptr fs:[00000030h]	2_2_038363CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038633D0 mov eax, dword ptr fs:[00000030h]	2_2_038633D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038643D0 mov ecx, dword ptr fs:[00000030h]	2_2_038643D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B43D5 mov eax, dword ptr fs:[00000030h]	2_2_038B43D5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03829303 mov eax, dword ptr fs:[00000030h]	2_2_03829303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03829303 mov eax, dword ptr fs:[00000030h]	2_2_03829303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF30A mov eax, dword ptr fs:[00000030h]	2_2_038EF30A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B330C mov eax, dword ptr fs:[00000030h]	2_2_038B330C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B330C mov eax, dword ptr fs:[00000030h]	2_2_038B330C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B330C mov eax, dword ptr fs:[00000030h]	2_2_038B330C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B330C mov eax, dword ptr fs:[00000030h]	2_2_038B330C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386631F mov eax, dword ptr fs:[00000030h]	2_2_0386631F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903336 mov eax, dword ptr fs:[00000030h]	2_2_03903336
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385332D mov eax, dword ptr fs:[00000030h]	2_2_0385332D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A350 mov eax, dword ptr fs:[00000030h]	2_2_0386A350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0371 mov eax, dword ptr fs:[00000030h]	2_2_038B0371
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0371 mov eax, dword ptr fs:[00000030h]	2_2_038B0371
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385237A mov eax, dword ptr fs:[00000030h]	2_2_0385237A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE289 mov eax, dword ptr fs:[00000030h]	2_2_038AE289
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837290 mov eax, dword ptr fs:[00000030h]	2_2_03837290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837290 mov eax, dword ptr fs:[00000030h]	2_2_03837290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837290 mov eax, dword ptr fs:[00000030h]	2_2_03837290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF2AE mov eax, dword ptr fs:[00000030h]	2_2_038EF2AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F92AB mov eax, dword ptr fs:[00000030h]	2_2_038F92AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038542AF mov eax, dword ptr fs:[00000030h]	2_2_038542AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038542AF mov eax, dword ptr fs:[00000030h]	2_2_038542AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B2BC mov eax, dword ptr fs:[00000030h]	2_2_0390B2BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B2BC mov eax, dword ptr fs:[00000030h]	2_2_0390B2BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B2BC mov eax, dword ptr fs:[00000030h]	2_2_0390B2BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B2BC mov eax, dword ptr fs:[00000030h]	2_2_0390B2BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038292AF mov eax, dword ptr fs:[00000030h]	2_2_038292AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C2B0 mov ecx, dword ptr fs:[00000030h]	2_2_0382C2B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038532C5 mov eax, dword ptr fs:[00000030h]	2_2_038532C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038632C0 mov eax, dword ptr fs:[00000030h]	2_2_038632C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038632C0 mov eax, dword ptr fs:[00000030h]	2_2_038632C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039032C9 mov eax, dword ptr fs:[00000030h]	2_2_039032C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038272E0 mov eax, dword ptr fs:[00000030h]	2_2_038272E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D2EC mov eax, dword ptr fs:[00000030h]	2_2_0382D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D2EC mov eax, dword ptr fs:[00000030h]	2_2_0382D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A200 mov eax, dword ptr fs:[00000030h]	2_2_0382A200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382821B mov eax, dword ptr fs:[00000030h]	2_2_0382821B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BB214 mov eax, dword ptr fs:[00000030h]	2_2_038BB214
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BB214 mov eax, dword ptr fs:[00000030h]	2_2_038BB214
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850230 mov ecx, dword ptr fs:[00000030h]	2_2_03850230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C mov eax, dword ptr fs:[00000030h]	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C mov eax, dword ptr fs:[00000030h]	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C mov eax, dword ptr fs:[00000030h]	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C mov eax, dword ptr fs:[00000030h]	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF247 mov eax, dword ptr fs:[00000030h]	2_2_038EF247
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385F24A mov eax, dword ptr fs:[00000030h]	2_2_0385F24A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B273 mov eax, dword ptr fs:[00000030h]	2_2_0382B273
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B273 mov eax, dword ptr fs:[00000030h]	2_2_0382B273
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B273 mov eax, dword ptr fs:[00000030h]	2_2_0382B273
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ED270 mov eax, dword ptr fs:[00000030h]	2_2_038ED270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03859194 mov eax, dword ptr fs:[00000030h]	2_2_03859194
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871190 mov eax, dword ptr fs:[00000030h]	2_2_03871190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871190 mov eax, dword ptr fs:[00000030h]	2_2_03871190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E1A4 mov eax, dword ptr fs:[00000030h]	2_2_0386E1A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E1A4 mov eax, dword ptr fs:[00000030h]	2_2_0386E1A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039051B6 mov eax, dword ptr fs:[00000030h]	2_2_039051B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038631BE mov eax, dword ptr fs:[00000030h]	2_2_038631BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038631BE mov eax, dword ptr fs:[00000030h]	2_2_038631BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov ecx, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov eax, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov eax, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401C0 mov eax, dword ptr fs:[00000030h]	2_2_038401C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401C0 mov eax, dword ptr fs:[00000030h]	2_2_038401C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0 mov eax, dword ptr fs:[00000030h]	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0 mov eax, dword ptr fs:[00000030h]	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0 mov eax, dword ptr fs:[00000030h]	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0 mov eax, dword ptr fs:[00000030h]	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81EE mov eax, dword ptr fs:[00000030h]	2_2_038F81EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81EE mov eax, dword ptr fs:[00000030h]	2_2_038F81EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038391E5 mov eax, dword ptr fs:[00000030h]	2_2_038391E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038391E5 mov eax, dword ptr fs:[00000030h]	2_2_038391E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038281EB mov eax, dword ptr fs:[00000030h]	2_2_038281EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038291F0 mov eax, dword ptr fs:[00000030h]	2_2_038291F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038291F0 mov eax, dword ptr fs:[00000030h]	2_2_038291F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385F1F0 mov eax, dword ptr fs:[00000030h]	2_2_0385F1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385F1F0 mov eax, dword ptr fs:[00000030h]	2_2_0385F1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383510D mov eax, dword ptr fs:[00000030h]	2_2_0383510D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860118 mov eax, dword ptr fs:[00000030h]	2_2_03860118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03867128 mov eax, dword ptr fs:[00000030h]	2_2_03867128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03867128 mov eax, dword ptr fs:[00000030h]	2_2_03867128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF13E mov eax, dword ptr fs:[00000030h]	2_2_038EF13E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA130 mov eax, dword ptr fs:[00000030h]	2_2_038BA130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C314A mov eax, dword ptr fs:[00000030h]	2_2_038C314A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C314A mov eax, dword ptr fs:[00000030h]	2_2_038C314A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C314A mov eax, dword ptr fs:[00000030h]	2_2_038C314A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C314A mov eax, dword ptr fs:[00000030h]	2_2_038C314A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903157 mov eax, dword ptr fs:[00000030h]	2_2_03903157
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903157 mov eax, dword ptr fs:[00000030h]	2_2_03903157
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903157 mov eax, dword ptr fs:[00000030h]	2_2_03903157
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03905149 mov eax, dword ptr fs:[00000030h]	2_2_03905149
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386415F mov eax, dword ptr fs:[00000030h]	2_2_0386415F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386716D mov eax, dword ptr fs:[00000030h]	2_2_0386716D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388717A mov eax, dword ptr fs:[00000030h]	2_2_0388717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388717A mov eax, dword ptr fs:[00000030h]	2_2_0388717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836179 mov eax, dword ptr fs:[00000030h]	2_2_03836179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A093 mov ecx, dword ptr fs:[00000030h]	2_2_0382A093
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C090 mov eax, dword ptr fs:[00000030h]	2_2_0382C090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EB0AF mov eax, dword ptr fs:[00000030h]	2_2_038EB0AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038700A5 mov eax, dword ptr fs:[00000030h]	2_2_038700A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039050B7 mov eax, dword ptr fs:[00000030h]	2_2_039050B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B0D0 mov eax, dword ptr fs:[00000030h]	2_2_0384B0D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B0D6 mov eax, dword ptr fs:[00000030h]	2_2_0382B0D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B0D6 mov eax, dword ptr fs:[00000030h]	2_2_0382B0D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B0D6 mov eax, dword ptr fs:[00000030h]	2_2_0382B0D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B0D6 mov eax, dword ptr fs:[00000030h]	2_2_0382B0D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F6 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386D0F0 mov eax, dword ptr fs:[00000030h]	2_2_0386D0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386D0F0 mov ecx, dword ptr fs:[00000030h]	2_2_0386D0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038290F8 mov eax, dword ptr fs:[00000030h]	2_2_038290F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038290F8 mov eax, dword ptr fs:[00000030h]	2_2_038290F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038290F8 mov eax, dword ptr fs:[00000030h]	2_2_038290F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038290F8 mov eax, dword ptr fs:[00000030h]	2_2_038290F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03855004 mov eax, dword ptr fs:[00000030h]	2_2_03855004
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03855004 mov ecx, dword ptr fs:[00000030h]	2_2_03855004
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838009 mov eax, dword ptr fs:[00000030h]	2_2_03838009
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872010 mov ecx, dword ptr fs:[00000030h]	2_2_03872010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D02D mov eax, dword ptr fs:[00000030h]	2_2_0382D02D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860044 mov eax, dword ptr fs:[00000030h]	2_2_03860044
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390505B mov eax, dword ptr fs:[00000030h]	2_2_0390505B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831051 mov eax, dword ptr fs:[00000030h]	2_2_03831051
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831051 mov eax, dword ptr fs:[00000030h]	2_2_03831051
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D9060 mov eax, dword ptr fs:[00000030h]	2_2_038D9060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837072 mov eax, dword ptr fs:[00000030h]	2_2_03837072
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836074 mov eax, dword ptr fs:[00000030h]	2_2_03836074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836074 mov eax, dword ptr fs:[00000030h]	2_2_03836074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03861796 mov eax, dword ptr fs:[00000030h]	2_2_03861796
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03861796 mov eax, dword ptr fs:[00000030h]	2_2_03861796
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B781 mov eax, dword ptr fs:[00000030h]	2_2_0390B781
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B781 mov eax, dword ptr fs:[00000030h]	2_2_0390B781
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307A7 mov eax, dword ptr fs:[00000030h]	2_2_038307A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FD7A7 mov eax, dword ptr fs:[00000030h]	2_2_038FD7A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FD7A7 mov eax, dword ptr fs:[00000030h]	2_2_038FD7A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FD7A7 mov eax, dword ptr fs:[00000030h]	2_2_038FD7A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039017BC mov eax, dword ptr fs:[00000030h]	2_2_039017BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF7CF mov eax, dword ptr fs:[00000030h]	2_2_038EF7CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E7E0 mov eax, dword ptr fs:[00000030h]	2_2_0385E7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038377F9 mov eax, dword ptr fs:[00000030h]	2_2_038377F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038377F9 mov eax, dword ptr fs:[00000030h]	2_2_038377F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383D700 mov ecx, dword ptr fs:[00000030h]	2_2_0383D700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F970B mov eax, dword ptr fs:[00000030h]	2_2_038F970B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F970B mov eax, dword ptr fs:[00000030h]	2_2_038F970B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B705 mov eax, dword ptr fs:[00000030h]	2_2_0382B705
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B705 mov eax, dword ptr fs:[00000030h]	2_2_0382B705
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B705 mov eax, dword ptr fs:[00000030h]	2_2_0382B705
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B705 mov eax, dword ptr fs:[00000030h]	2_2_0382B705
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383471B mov eax, dword ptr fs:[00000030h]	2_2_0383471B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383471B mov eax, dword ptr fs:[00000030h]	2_2_0383471B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF717 mov eax, dword ptr fs:[00000030h]	2_2_038EF717
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03859723 mov eax, dword ptr fs:[00000030h]	2_2_03859723
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03863740 mov eax, dword ptr fs:[00000030h]	2_2_03863740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386174A mov eax, dword ptr fs:[00000030h]	2_2_0386174A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov ecx, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A750 mov eax, dword ptr fs:[00000030h]	2_2_0386A750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE750 mov eax, dword ptr fs:[00000030h]	2_2_038DE750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842760 mov ecx, dword ptr fs:[00000030h]	2_2_03842760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860774 mov eax, dword ptr fs:[00000030h]	2_2_03860774
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834779 mov eax, dword ptr fs:[00000030h]	2_2_03834779
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834779 mov eax, dword ptr fs:[00000030h]	2_2_03834779
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF68C mov eax, dword ptr fs:[00000030h]	2_2_038EF68C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838690 mov eax, dword ptr fs:[00000030h]	2_2_03838690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC691 mov eax, dword ptr fs:[00000030h]	2_2_038BC691
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F86A8 mov eax, dword ptr fs:[00000030h]	2_2_038F86A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F86A8 mov eax, dword ptr fs:[00000030h]	2_2_038F86A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038306CF mov eax, dword ptr fs:[00000030h]	2_2_038306CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA6C0 mov eax, dword ptr fs:[00000030h]	2_2_038FA6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385D6D0 mov eax, dword ptr fs:[00000030h]	2_2_0385D6D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038296E0 mov eax, dword ptr fs:[00000030h]	2_2_038296E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038296E0 mov eax, dword ptr fs:[00000030h]	2_2_038296E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C6E0 mov eax, dword ptr fs:[00000030h]	2_2_0383C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038356E0 mov eax, dword ptr fs:[00000030h]	2_2_038356E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038356E0 mov eax, dword ptr fs:[00000030h]	2_2_038356E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038356E0 mov eax, dword ptr fs:[00000030h]	2_2_038356E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038566E0 mov eax, dword ptr fs:[00000030h]	2_2_038566E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038566E0 mov eax, dword ptr fs:[00000030h]	2_2_038566E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AC6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AC6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385D600 mov eax, dword ptr fs:[00000030h]	2_2_0385D600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385D600 mov eax, dword ptr fs:[00000030h]	2_2_0385D600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF607 mov eax, dword ptr fs:[00000030h]	2_2_038EF607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386360F mov eax, dword ptr fs:[00000030h]	2_2_0386360F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904600 mov eax, dword ptr fs:[00000030h]	2_2_03904600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837623 mov eax, dword ptr fs:[00000030h]	2_2_03837623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C mov ecx, dword ptr fs:[00000030h]	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C mov ecx, dword ptr fs:[00000030h]	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C mov eax, dword ptr fs:[00000030h]	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03835622 mov eax, dword ptr fs:[00000030h]	2_2_03835622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03835622 mov eax, dword ptr fs:[00000030h]	2_2_03835622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C620 mov eax, dword ptr fs:[00000030h]	2_2_0386C620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830630 mov eax, dword ptr fs:[00000030h]	2_2_03830630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860630 mov eax, dword ptr fs:[00000030h]	2_2_03860630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov esi, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov eax, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov eax, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386F63F mov eax, dword ptr fs:[00000030h]	2_2_0386F63F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386F63F mov eax, dword ptr fs:[00000030h]	2_2_0386F63F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03833640 mov eax, dword ptr fs:[00000030h]	2_2_03833640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F640 mov eax, dword ptr fs:[00000030h]	2_2_0384F640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F640 mov eax, dword ptr fs:[00000030h]	2_2_0384F640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F640 mov eax, dword ptr fs:[00000030h]	2_2_0384F640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C640 mov eax, dword ptr fs:[00000030h]	2_2_0386C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C640 mov eax, dword ptr fs:[00000030h]	2_2_0386C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D64A mov eax, dword ptr fs:[00000030h]	2_2_0382D64A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D64A mov eax, dword ptr fs:[00000030h]	2_2_0382D64A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03865654 mov eax, dword ptr fs:[00000030h]	2_2_03865654
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383965A mov eax, dword ptr fs:[00000030h]	2_2_0383965A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383965A mov eax, dword ptr fs:[00000030h]	2_2_0383965A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov eax, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov ecx, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov eax, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03827662 mov eax, dword ptr fs:[00000030h]	2_2_03827662
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03827662 mov eax, dword ptr fs:[00000030h]	2_2_03827662
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03827662 mov eax, dword ptr fs:[00000030h]	2_2_03827662
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843660 mov eax, dword ptr fs:[00000030h]	2_2_03843660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843660 mov eax, dword ptr fs:[00000030h]	2_2_03843660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843660 mov eax, dword ptr fs:[00000030h]	2_2_03843660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov esi, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov eax, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov eax, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830670 mov eax, dword ptr fs:[00000030h]	2_2_03830670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872670 mov eax, dword ptr fs:[00000030h]	2_2_03872670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872670 mov eax, dword ptr fs:[00000030h]	2_2_03872670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE588 mov eax, dword ptr fs:[00000030h]	2_2_038AE588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE588 mov eax, dword ptr fs:[00000030h]	2_2_038AE588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03869580 mov eax, dword ptr fs:[00000030h]	2_2_03869580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03869580 mov eax, dword ptr fs:[00000030h]	2_2_03869580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A580 mov eax, dword ptr fs:[00000030h]	2_2_0386A580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A580 mov eax, dword ptr fs:[00000030h]	2_2_0386A580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF582 mov eax, dword ptr fs:[00000030h]	2_2_038EF582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862594 mov eax, dword ptr fs:[00000030h]	2_2_03862594
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC592 mov eax, dword ptr fs:[00000030h]	2_2_038BC592
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B85AA mov eax, dword ptr fs:[00000030h]	2_2_038B85AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038345B0 mov eax, dword ptr fs:[00000030h]	2_2_038345B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038345B0 mov eax, dword ptr fs:[00000030h]	2_2_038345B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5C6 mov eax, dword ptr fs:[00000030h]	2_2_0386C5C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05C6 mov eax, dword ptr fs:[00000030h]	2_2_038B05C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038665D0 mov eax, dword ptr fs:[00000030h]	2_2_038665D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5E7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5E7 mov eax, dword ptr fs:[00000030h]	2_2_0386A5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038615EF mov eax, dword ptr fs:[00000030h]	2_2_038615EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC5FC mov eax, dword ptr fs:[00000030h]	2_2_038BC5FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B502 mov eax, dword ptr fs:[00000030h]	2_2_0382B502
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832500 mov eax, dword ptr fs:[00000030h]	2_2_03832500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C50D mov eax, dword ptr fs:[00000030h]	2_2_0386C50D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C50D mov eax, dword ptr fs:[00000030h]	2_2_0386C50D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC51D mov eax, dword ptr fs:[00000030h]	2_2_038BC51D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov ecx, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov ecx, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00426DA1 CreateFileW,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError,

0_2_00426DA1

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004230F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00417D93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x7FFCCBAC2651	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x4535A62	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x453D7BF	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtResumeThread: Direct from: 0x4535CA8	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtClose: Direct from: 0x7FFC97F09E7F

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wextract.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 6284			Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Thread register set: target process: 6284			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment Advice.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EE7008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_0040D6D0

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004375B0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00436431 mouse_event,mouse_event,

0_2_00436431

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"			Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: RAVCpl64.exe, 00000003.00000000.71836667546.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.76597037141.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.73373612765.0000000001970000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Payment Advice.exe, RAVCpl64.exe, 00000003.00000000.71836667546.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.76597037141.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.73375745212.0000000005060000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.76595282087.0000000001220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73373030322.0000000001220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman"
Source: RAVCpl64.exe, 00000003.00000000.71836667546.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.76597037141.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.73373612765.0000000001970000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Payment Advice.exe, 00000000.00000002.71528186776.0000000000482000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: RAVCpl64.exe, 00000003.00000000.71836667546.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.76597037141.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.73373612765.0000000001970000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0042039F GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0042039F

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: Payment Advice.exe, 00000000.00000002.71528186776.0000000000482000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Payment Advice.exe	Binary or memory string: WIN_XP
Source: Payment Advice.exe	Binary or memory string: WIN_XPe
Source: Payment Advice.exe	Binary or memory string: WIN_VISTA
Source: Payment Advice.exe	Binary or memory string: WIN_7

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047AD92 OleInitialize,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: Payment Advice.exe	Virustotal: Detection: 27%			Perma Link
Source: Payment Advice.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: Payment Advice.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Payment Advice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wextract.pdb source: svchost.exe, 00000002.00000003.71870710058.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71871216830.000000000323C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: svchost.exe, 00000002.00000003.71870710058.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71871216830.000000000323C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Advice.exe, 00000000.00000003.71525843604.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.71527256863.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71818688030.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71821569465.0000000003600000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.0000000004690000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71902519209.0000000004322000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71905407512.00000000044DE000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.00000000047BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Advice.exe, 00000000.00000003.71525843604.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.71527256863.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.71818688030.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71821569465.0000000003600000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.0000000004690000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71902519209.0000000004322000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71905407512.00000000044DE000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.00000000047BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: RAVCpl64.exe, 00000003.00000002.76603324600.000000000494C000.00000004.80000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73448050918.0000000004CBC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76615354295.000000001414C000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: RAVCpl64.exe, 00000003.00000002.76603324600.000000000494C000.00000004.80000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73448050918.0000000004CBC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76615354295.000000001414C000.00000004.00000001.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BD1F FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindClose,	0_2_0044BD1F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BD29 FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00475FE5
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BF8D FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then mov ebx, 00000004h

2_2_045A04DE

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: explorer.exe, 00000005.00000003.74150410272.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382747463.000000000DE94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000005.00000003.74150410272.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382747463.000000000DE94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000005.00000003.74150410272.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382747463.000000000DE94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000003.74152073022.0000000009D67000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009D67000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009D67000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlipY7
Source: explorer.exe, 00000005.00000000.73379124445.000000000AE40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.76596876834.0000000003800000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.76603892105.000000000A360000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000005.00000002.76601606406.0000000009DEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377572267.0000000009E6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000005.00000000.73378013198.000000000A018000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.000000000A018000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74149306061.000000000A018000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000005.00000000.73378013198.000000000A018000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.000000000A018000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74149306061.000000000A018000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/h
Source: explorer.exe, 00000005.00000002.76601606406.0000000009C70000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=912df6f3-e6f5-4400-ad10-c
Source: explorer.exe, 00000005.00000000.73381683797.000000000DE6B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76600120068.0000000005ABB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73374290015.0000000003839000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DC09251A71C5472DA2BDFD73DC109609&timeOut=5000&oc
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000000.73376202518.0000000005ABB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76600120068.0000000005ABB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svg
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyCloudyNight.pn
Source: explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyCloudyNight.sv
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.png
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.svg
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/Weather/W36_Most
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/WeatherInsight/W
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI-dark
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW-dark
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000005.00000002.76609689900.000000000DEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382891771.000000000DEFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comP
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA179X84.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1g7bhz.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1lLvot.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1nsFzx.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAUhLdx.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAY97Jf.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAaeOki.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyxkRJ.img
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1d0ujS.img
Source: explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=a7af015c-55f5-465b-b0e4-6fef
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000005.00000000.73385616150.0000000011710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76613192431.0000000011710000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com;
Source: explorer.exe, 00000005.00000000.73383273995.000000000E050000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76610169841.000000000E050000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comppS
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.glamour.com/story/shag-haircut-photos-products
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.instyle.com/hair/shag-haircut-face-shape
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/autos/other/24-used-sports-cars-that-are-notoriously-reliable-yet-crazy-ch
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/entertainment/news/james-earl-jones-dies-at-93-all-about-his-son-flynn/ar-
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/feed
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/i-asked-3-farmers-the-best-way-to-cook-zucchini-they-
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/2-egg-brands-have-been-recalled-due-to-a-serious-salmonella
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/beauty/40-shag-haircuts-to-inspire-your-next-salon-visit/ss-AA1p
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a33k6h
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a3oxnm
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a6qja2
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/18-everyday-household-items-that-are-surprisingly-va
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/retirement/a-youtuber-asked-a-group-of-americans-aged-70-to-80-what-
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/tyreek-hill-s-traffic-stop-shows-interactions-with-police-can-b
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/6-things-to-watch-for-when-kamala-harris-debates-donald-trum
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/chris-christie-former-trump-debate-coach-offers-key-pieces-o
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-spreads-outrageous-lie-about-haitian-immigrants/ar-
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/james-earl-jones-s-talents-went-far-far-beyond-his-magnificent-voi
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/trump-repeats-false-claims-that-children-are-undergoing-transgende
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/gaza-authorities-say-deadly-blasts-hit-humanitarian-zone/ar-AA1
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/nba/johnny-gaudreau-s-wife-reveals-in-eulogy-she-s-pregnant-expecti
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/nfl/49ers-win-over-jets-ends-with-final-score-that-s-never-been-see
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/news/the-bold-the-beautiful-young-and-the-restless-more-get-premiere-da
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Santa-Clara%2CCalifornia?loc=eyJsIjoiU2FudGEgQ2xhcmEiL
Source: explorer.exe, 00000005.00000003.74152073022.0000000009CE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76601606406.0000000009CD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73377144801.0000000009CE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Santa-Clara%2CCalifornia?loc=eyJsIjoiU2FudGEgQ2x

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00459FFF

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

0_2_00456354

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_0047C08E

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Advice.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,	0_2_0047C08E
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004331D9 ClientToScreen,NtdllDialogWndProc_W,	0_2_004331D9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047E1FA NtdllDialogWndProc_W,	0_2_0047E1FA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0043323E NtdllDialogWndProc_W,	0_2_0043323E
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0046F2B0 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0046F2B0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0046F50B NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0046F50B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045058D GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_0045058D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00469681 PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00469681
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0046F749 NtdllDialogWndProc_W,	0_2_0046F749
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00447870 GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,	0_2_00447870
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044782B NtdllDialogWndProc_W,	0_2_0044782B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044096A NtdllDialogWndProc_W,	0_2_0044096A
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044796B GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,	0_2_0044796B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00440938 NtdllDialogWndProc_W,	0_2_00440938
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00469995 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_00469995
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044099C NtdllDialogWndProc_W,	0_2_0044099C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00440ADF NtdllDialogWndProc_W,	0_2_00440ADF
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00447A87 SendMessageW,NtdllDialogWndProc_W,	0_2_00447A87
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00447B15 NtdllDialogWndProc_W,	0_2_00447B15
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00440B39 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	0_2_00440B39
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00454C69 NtdllDialogWndProc_W,	0_2_00454C69
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00454C1B NtdllDialogWndProc_W,	0_2_00454C1B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00461EB0 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_00461EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C003 NtClose,	2_2_0042C003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038734E0 NtCreateMutant,LdrInitializeThunk,	2_2_038734E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BC0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03872BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872A80 NtClose,LdrInitializeThunk,	2_2_03872A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EB0 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03872EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874260 NtSetContextThread,	2_2_03874260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874570 NtSuspendThread,	2_2_03874570
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtCreateKey,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B90 NtFreeVirtualMemory,	2_2_03872B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryVirtualMemory,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B00 NtQueryValueKey,	2_2_03872B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B10 NtAllocateVirtualMemory,	2_2_03872B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B20 NtQueryInformationProcess,	2_2_03872B20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AA0 NtQueryInformationFile,	2_2_03872AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AC0 NtEnumerateValueKey,	2_2_03872AC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872A10 NtWriteFile,	2_2_03872A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038729D0 NtWaitForSingleObject,	2_2_038729D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038729F0 NtReadFile,	2_2_038729F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038738D0 NtGetContextThread,	2_2_038738D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtSetValueKey,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F00 NtCreateFile,	2_2_03872F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtOpenDirectoryObject,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtCreateProcessEx,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EC0 NtQuerySection,	2_2_03872EC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872ED0 NtResumeThread,	2_2_03872ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E00 NtQueueApcThread,	2_2_03872E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E50 NtCreateSection,	2_2_03872E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DA0 NtReadVirtualMemory,	2_2_03872DA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DC0 NtAdjustPrivilegesToken,	2_2_03872DC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D50 NtWriteVirtualMemory,	2_2_03872D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873C90 NtOpenThread,	2_2_03873C90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CD0 NtEnumerateKey,	2_2_03872CD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtDelayExecution,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C10 NtOpenProcess,	2_2_03872C10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C20 NtSetInformationFile,	2_2_03872C20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C30 NtMapViewOfSection,	2_2_03872C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873C30 NtOpenProcessToken,	2_2_03873C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C50 NtUnmapViewOfSection,	2_2_03872C50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B3619 NtSetContextThread,	2_2_045B3619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B3C5A NtResumeThread,	2_2_045B3C5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B393C NtSuspendThread,	2_2_045B393C

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00434D50: GetFullPathNameW,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_004461ED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_004364AA

Detected potential crypto function

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F3658	0_2_044F3658
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417FA3	2_2_00417FA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040F813	2_2_0040F813
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029C0	2_2_004029C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004019DA	2_2_004019DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011E0	2_2_004011E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004019E0	2_2_004019E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041618E	2_2_0041618E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416193	2_2_00416193
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402216	2_2_00402216
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402220	2_2_00402220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FA33	2_2_0040FA33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DAAB	2_2_0040DAAB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DAB3	2_2_0040DAB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023D0	2_2_004023D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DBFB	2_2_0040DBFB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402CC0	2_2_00402CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042E623	2_2_0042E623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F70	2_2_00402F70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF330	2_2_038FF330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D2EC	2_2_0382D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390010E	2_2_0390010E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD130	2_2_038DD130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388717A	2_2_0388717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038300A0	2_2_038300A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B0D0	2_2_0384B0D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70F1	2_2_038F70F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE076	2_2_038EE076
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6757	2_2_038F6757
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842760	2_2_03842760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A760	2_2_0384A760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA6C0	2_2_038FA6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C6E0	2_2_0383C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B36EC	2_2_038B36EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF6F6	2_2_038FF6F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C600	2_2_0385C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ED646	2_2_038ED646
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864670	2_2_03864670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF5C9	2_2_038FF5C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F75C6	2_2_038F75C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A526	2_2_0390A526
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4BC0	2_2_038B4BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840B10	2_2_03840B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB2E	2_2_038FFB2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA89	2_2_038FFA89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FAA0	2_2_0385FAA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCA13	2_2_038FCA13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEA5B	2_2_038FEA5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FE9A6	2_2_038FE9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038859C0	2_2_038859C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856882	2_2_03856882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B98B2	2_2_038B98B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F18DA	2_2_038F18DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F78F3	2_2_038F78F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843800	2_2_03843800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E810	2_2_0386E810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03826868	2_2_03826868
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849870	2_2_03849870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B870	2_2_0385B870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF872	2_2_038FF872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEFBF	2_2_038FEFBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1FC6	2_2_038F1FC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CF00	2_2_0384CF00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF63	2_2_038FFF63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0EAD	2_2_038F0EAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841EB2	2_2_03841EB2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F9ED2	2_2_038F9ED2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832EE8	2_2_03832EE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860E50	2_2_03860E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0E6D	2_2_038E0E6D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852DB0	2_2_03852DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849DD0	2_2_03849DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DFDF4	2_2_038DFDF4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AD00	2_2_0383AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFD27	2_2_038FFD27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D4C	2_2_038F7D4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840D69	2_2_03840D69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D9C98	2_2_038D9C98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858CDF	2_2_03858CDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FCE0	2_2_0385FCE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390ACEB	2_2_0390ACEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830C12	2_2_03830C12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EEC4C	2_2_038EEC4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843C60	2_2_03843C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6C69	2_2_038F6C69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEC60	2_2_038FEC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B5414	2_2_045B5414
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AE483	2_2_045AE483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AE368	2_2_045AE368
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AE81C	2_2_045AE81C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AD888	2_2_045AD888
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045ACB13	2_2_045ACB13

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BEF10 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875050 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887BE4 appears 88 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B910 appears 266 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AE692 appears 79 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 0040E6D0 appears 35 times

Sample file is different than original file name gathered from version info

Source: Payment Advice.exe, 00000000.00000003.71527256863.0000000004BE3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000003.71524139618.0000000004D8D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice.exe

Uses 32bit PE files

Source: Payment Advice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Payment Advice.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9933401031783681

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/1@0/0

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464422
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0043614F FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Users\user\Desktop\Payment Advice.exe

File created: C:\Users\user\AppData\Local\Temp\cunili

Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment Advice.exe	Virustotal: Detection: 27%
Source: Payment Advice.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Payment Advice.exe

File read: C:\Users\user\Desktop\Payment Advice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: wextract.pdb source: svchost.exe, 00000002.00000003.71870710058.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71871216830.000000000323C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: svchost.exe, 00000002.00000003.71870710058.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71871216830.000000000323C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Advice.exe, 00000000.00000003.71525843604.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.71527256863.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71818688030.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71821569465.0000000003600000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.0000000004690000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71902519209.0000000004322000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71905407512.00000000044DE000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.00000000047BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Advice.exe, 00000000.00000003.71525843604.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.71527256863.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.71818688030.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.71903405720.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.71821569465.0000000003600000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.0000000004690000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71902519209.0000000004322000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000003.71905407512.00000000044DE000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 00000004.00000002.73447307347.00000000047BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: RAVCpl64.exe, 00000003.00000002.76603324600.000000000494C000.00000004.80000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73448050918.0000000004CBC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76615354295.000000001414C000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: RAVCpl64.exe, 00000003.00000002.76603324600.000000000494C000.00000004.80000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73448050918.0000000004CBC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76615354295.000000001414C000.00000004.00000001.00040000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004550C9 push ebp; retf	0_2_004550CA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004171D1 push ecx; ret	0_2_004171E4
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F3849 push ebp; iretd	0_2_044F384D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004031E0 push eax; ret	2_2_004031E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A2B1 push ds; ret	2_2_0041A2D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004083A5 push 00000072h; ret	2_2_00408433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415413 push 10CBE7A4h; retf	2_2_004154F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401EF2 push edi; retf	2_2_00401EF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038308CD push ecx; mov dword ptr [esp], ecx	2_2_038308D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A7486 push ebp; iretd	2_2_045A7495
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A44BC push eax; retf	2_2_045A44BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A50F9 push cs; ret	2_2_045A5107
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045B5252 push eax; ret	2_2_045B5254
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A52A6 push esp; retf	2_2_045A52A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A9FBC push eax; ret	2_2_045A9FC7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045A58FA push ebx; ret	2_2_045A5912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_045AA9CA push edx; iretd	2_2_045AA9D4

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004772DE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004375B0

Source: C:\Windows\SysWOW64\wextract.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00444078

0_2_00444078

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment Advice.exe	API/Special instruction interceptor: Address: 44F327C
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0D144
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB10594
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0FF74
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0D6C4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0D864
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFCCBB0D004
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D144
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB10594
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D764
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D324
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D364
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D004
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0FF74
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D6C4
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFCCBB0D864

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03871763 rdtsc

2_2_03871763

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\wextract.exe	Window / User API: threadDelayed 9852	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Payment Advice.exe	API coverage: 3.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\wextract.exe TID: 6772	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe TID: 6772	Thread sleep time: -244000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe TID: 6772	Thread sleep count: 9852 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe TID: 6772	Thread sleep time: -19704000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\wextract.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wextract.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BD1F FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindClose,	0_2_0044BD1F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BD29 FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00475FE5
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0044BF8D FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: explorer.exe, 00000005.00000000.73380807640.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76607173071.000000000D91B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74150410272.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.76608165483.000000000DBCF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.74150410272.000000000DBCF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73382747463.000000000DE94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73381683797.000000000DBCF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wextract.exe, 00000004.00000002.73446715535.0000000000775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03871763 rdtsc

2_2_03871763

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417143 LdrLoadDll,

2_2_00417143

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_0040D6D0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F34E8 mov eax, dword ptr fs:[00000030h]	0_2_044F34E8
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F3548 mov eax, dword ptr fs:[00000030h]	0_2_044F3548
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_044F1EB8 mov eax, dword ptr fs:[00000030h]	0_2_044F1EB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380 mov eax, dword ptr fs:[00000030h]	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F380 mov eax, dword ptr fs:[00000030h]	2_2_0384F380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF38A mov eax, dword ptr fs:[00000030h]	2_2_038EF38A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038393A6 mov eax, dword ptr fs:[00000030h]	2_2_038393A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038393A6 mov eax, dword ptr fs:[00000030h]	2_2_038393A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC3B0 mov eax, dword ptr fs:[00000030h]	2_2_038AC3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C3C7 mov eax, dword ptr fs:[00000030h]	2_2_0382C3C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038363CB mov eax, dword ptr fs:[00000030h]	2_2_038363CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038633D0 mov eax, dword ptr fs:[00000030h]	2_2_038633D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038643D0 mov ecx, dword ptr fs:[00000030h]	2_2_038643D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B43D5 mov eax, dword ptr fs:[00000030h]	2_2_038B43D5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03829303 mov eax, dword ptr fs:[00000030h]	2_2_03829303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03829303 mov eax, dword ptr fs:[00000030h]	2_2_03829303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF30A mov eax, dword ptr fs:[00000030h]	2_2_038EF30A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B330C mov eax, dword ptr fs:[00000030h]	2_2_038B330C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B330C mov eax, dword ptr fs:[00000030h]	2_2_038B330C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B330C mov eax, dword ptr fs:[00000030h]	2_2_038B330C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B330C mov eax, dword ptr fs:[00000030h]	2_2_038B330C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386631F mov eax, dword ptr fs:[00000030h]	2_2_0386631F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903336 mov eax, dword ptr fs:[00000030h]	2_2_03903336
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385332D mov eax, dword ptr fs:[00000030h]	2_2_0385332D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A350 mov eax, dword ptr fs:[00000030h]	2_2_0386A350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B360 mov eax, dword ptr fs:[00000030h]	2_2_0383B360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0371 mov eax, dword ptr fs:[00000030h]	2_2_038B0371
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0371 mov eax, dword ptr fs:[00000030h]	2_2_038B0371
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385237A mov eax, dword ptr fs:[00000030h]	2_2_0385237A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE289 mov eax, dword ptr fs:[00000030h]	2_2_038AE289
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837290 mov eax, dword ptr fs:[00000030h]	2_2_03837290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837290 mov eax, dword ptr fs:[00000030h]	2_2_03837290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837290 mov eax, dword ptr fs:[00000030h]	2_2_03837290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF2AE mov eax, dword ptr fs:[00000030h]	2_2_038EF2AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F92AB mov eax, dword ptr fs:[00000030h]	2_2_038F92AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038542AF mov eax, dword ptr fs:[00000030h]	2_2_038542AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038542AF mov eax, dword ptr fs:[00000030h]	2_2_038542AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B2BC mov eax, dword ptr fs:[00000030h]	2_2_0390B2BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B2BC mov eax, dword ptr fs:[00000030h]	2_2_0390B2BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B2BC mov eax, dword ptr fs:[00000030h]	2_2_0390B2BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B2BC mov eax, dword ptr fs:[00000030h]	2_2_0390B2BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038292AF mov eax, dword ptr fs:[00000030h]	2_2_038292AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C2B0 mov ecx, dword ptr fs:[00000030h]	2_2_0382C2B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038532C5 mov eax, dword ptr fs:[00000030h]	2_2_038532C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038632C0 mov eax, dword ptr fs:[00000030h]	2_2_038632C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038632C0 mov eax, dword ptr fs:[00000030h]	2_2_038632C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039032C9 mov eax, dword ptr fs:[00000030h]	2_2_039032C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038272E0 mov eax, dword ptr fs:[00000030h]	2_2_038272E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D2EC mov eax, dword ptr fs:[00000030h]	2_2_0382D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D2EC mov eax, dword ptr fs:[00000030h]	2_2_0382D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A200 mov eax, dword ptr fs:[00000030h]	2_2_0382A200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382821B mov eax, dword ptr fs:[00000030h]	2_2_0382821B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BB214 mov eax, dword ptr fs:[00000030h]	2_2_038BB214
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BB214 mov eax, dword ptr fs:[00000030h]	2_2_038BB214
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850230 mov ecx, dword ptr fs:[00000030h]	2_2_03850230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C mov eax, dword ptr fs:[00000030h]	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C mov eax, dword ptr fs:[00000030h]	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C mov eax, dword ptr fs:[00000030h]	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C mov eax, dword ptr fs:[00000030h]	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF247 mov eax, dword ptr fs:[00000030h]	2_2_038EF247
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385F24A mov eax, dword ptr fs:[00000030h]	2_2_0385F24A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B273 mov eax, dword ptr fs:[00000030h]	2_2_0382B273
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B273 mov eax, dword ptr fs:[00000030h]	2_2_0382B273
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B273 mov eax, dword ptr fs:[00000030h]	2_2_0382B273
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C327E mov eax, dword ptr fs:[00000030h]	2_2_038C327E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ED270 mov eax, dword ptr fs:[00000030h]	2_2_038ED270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03859194 mov eax, dword ptr fs:[00000030h]	2_2_03859194
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871190 mov eax, dword ptr fs:[00000030h]	2_2_03871190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871190 mov eax, dword ptr fs:[00000030h]	2_2_03871190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E1A4 mov eax, dword ptr fs:[00000030h]	2_2_0386E1A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E1A4 mov eax, dword ptr fs:[00000030h]	2_2_0386E1A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039051B6 mov eax, dword ptr fs:[00000030h]	2_2_039051B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038631BE mov eax, dword ptr fs:[00000030h]	2_2_038631BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038631BE mov eax, dword ptr fs:[00000030h]	2_2_038631BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov ecx, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov eax, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov eax, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401C0 mov eax, dword ptr fs:[00000030h]	2_2_038401C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401C0 mov eax, dword ptr fs:[00000030h]	2_2_038401C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0 mov eax, dword ptr fs:[00000030h]	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0 mov eax, dword ptr fs:[00000030h]	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0 mov eax, dword ptr fs:[00000030h]	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0 mov eax, dword ptr fs:[00000030h]	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81EE mov eax, dword ptr fs:[00000030h]	2_2_038F81EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81EE mov eax, dword ptr fs:[00000030h]	2_2_038F81EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0 mov eax, dword ptr fs:[00000030h]	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038391E5 mov eax, dword ptr fs:[00000030h]	2_2_038391E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038391E5 mov eax, dword ptr fs:[00000030h]	2_2_038391E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038281EB mov eax, dword ptr fs:[00000030h]	2_2_038281EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038291F0 mov eax, dword ptr fs:[00000030h]	2_2_038291F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038291F0 mov eax, dword ptr fs:[00000030h]	2_2_038291F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385F1F0 mov eax, dword ptr fs:[00000030h]	2_2_0385F1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385F1F0 mov eax, dword ptr fs:[00000030h]	2_2_0385F1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385510F mov eax, dword ptr fs:[00000030h]	2_2_0385510F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383510D mov eax, dword ptr fs:[00000030h]	2_2_0383510D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113 mov eax, dword ptr fs:[00000030h]	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860118 mov eax, dword ptr fs:[00000030h]	2_2_03860118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03867128 mov eax, dword ptr fs:[00000030h]	2_2_03867128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03867128 mov eax, dword ptr fs:[00000030h]	2_2_03867128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF13E mov eax, dword ptr fs:[00000030h]	2_2_038EF13E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA130 mov eax, dword ptr fs:[00000030h]	2_2_038BA130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C314A mov eax, dword ptr fs:[00000030h]	2_2_038C314A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C314A mov eax, dword ptr fs:[00000030h]	2_2_038C314A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C314A mov eax, dword ptr fs:[00000030h]	2_2_038C314A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C314A mov eax, dword ptr fs:[00000030h]	2_2_038C314A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903157 mov eax, dword ptr fs:[00000030h]	2_2_03903157
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903157 mov eax, dword ptr fs:[00000030h]	2_2_03903157
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903157 mov eax, dword ptr fs:[00000030h]	2_2_03903157
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03905149 mov eax, dword ptr fs:[00000030h]	2_2_03905149
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386415F mov eax, dword ptr fs:[00000030h]	2_2_0386415F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386716D mov eax, dword ptr fs:[00000030h]	2_2_0386716D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388717A mov eax, dword ptr fs:[00000030h]	2_2_0388717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388717A mov eax, dword ptr fs:[00000030h]	2_2_0388717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836179 mov eax, dword ptr fs:[00000030h]	2_2_03836179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A093 mov ecx, dword ptr fs:[00000030h]	2_2_0382A093
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C090 mov eax, dword ptr fs:[00000030h]	2_2_0382C090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EB0AF mov eax, dword ptr fs:[00000030h]	2_2_038EB0AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038700A5 mov eax, dword ptr fs:[00000030h]	2_2_038700A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039050B7 mov eax, dword ptr fs:[00000030h]	2_2_039050B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF0A5 mov eax, dword ptr fs:[00000030h]	2_2_038DF0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B0D0 mov eax, dword ptr fs:[00000030h]	2_2_0384B0D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B0D6 mov eax, dword ptr fs:[00000030h]	2_2_0382B0D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B0D6 mov eax, dword ptr fs:[00000030h]	2_2_0382B0D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B0D6 mov eax, dword ptr fs:[00000030h]	2_2_0382B0D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B0D6 mov eax, dword ptr fs:[00000030h]	2_2_0382B0D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F6 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386D0F0 mov eax, dword ptr fs:[00000030h]	2_2_0386D0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386D0F0 mov ecx, dword ptr fs:[00000030h]	2_2_0386D0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038290F8 mov eax, dword ptr fs:[00000030h]	2_2_038290F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038290F8 mov eax, dword ptr fs:[00000030h]	2_2_038290F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038290F8 mov eax, dword ptr fs:[00000030h]	2_2_038290F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038290F8 mov eax, dword ptr fs:[00000030h]	2_2_038290F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03855004 mov eax, dword ptr fs:[00000030h]	2_2_03855004
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03855004 mov ecx, dword ptr fs:[00000030h]	2_2_03855004
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838009 mov eax, dword ptr fs:[00000030h]	2_2_03838009
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872010 mov ecx, dword ptr fs:[00000030h]	2_2_03872010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D02D mov eax, dword ptr fs:[00000030h]	2_2_0382D02D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860044 mov eax, dword ptr fs:[00000030h]	2_2_03860044
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390505B mov eax, dword ptr fs:[00000030h]	2_2_0390505B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831051 mov eax, dword ptr fs:[00000030h]	2_2_03831051
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831051 mov eax, dword ptr fs:[00000030h]	2_2_03831051
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D9060 mov eax, dword ptr fs:[00000030h]	2_2_038D9060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837072 mov eax, dword ptr fs:[00000030h]	2_2_03837072
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836074 mov eax, dword ptr fs:[00000030h]	2_2_03836074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836074 mov eax, dword ptr fs:[00000030h]	2_2_03836074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03861796 mov eax, dword ptr fs:[00000030h]	2_2_03861796
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03861796 mov eax, dword ptr fs:[00000030h]	2_2_03861796
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B781 mov eax, dword ptr fs:[00000030h]	2_2_0390B781
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B781 mov eax, dword ptr fs:[00000030h]	2_2_0390B781
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307A7 mov eax, dword ptr fs:[00000030h]	2_2_038307A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FD7A7 mov eax, dword ptr fs:[00000030h]	2_2_038FD7A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FD7A7 mov eax, dword ptr fs:[00000030h]	2_2_038FD7A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FD7A7 mov eax, dword ptr fs:[00000030h]	2_2_038FD7A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039017BC mov eax, dword ptr fs:[00000030h]	2_2_039017BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF7CF mov eax, dword ptr fs:[00000030h]	2_2_038EF7CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E7E0 mov eax, dword ptr fs:[00000030h]	2_2_0385E7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038337E4 mov eax, dword ptr fs:[00000030h]	2_2_038337E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038377F9 mov eax, dword ptr fs:[00000030h]	2_2_038377F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038377F9 mov eax, dword ptr fs:[00000030h]	2_2_038377F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383D700 mov ecx, dword ptr fs:[00000030h]	2_2_0383D700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F970B mov eax, dword ptr fs:[00000030h]	2_2_038F970B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F970B mov eax, dword ptr fs:[00000030h]	2_2_038F970B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B705 mov eax, dword ptr fs:[00000030h]	2_2_0382B705
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B705 mov eax, dword ptr fs:[00000030h]	2_2_0382B705
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B705 mov eax, dword ptr fs:[00000030h]	2_2_0382B705
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B705 mov eax, dword ptr fs:[00000030h]	2_2_0382B705
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383471B mov eax, dword ptr fs:[00000030h]	2_2_0383471B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383471B mov eax, dword ptr fs:[00000030h]	2_2_0383471B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF717 mov eax, dword ptr fs:[00000030h]	2_2_038EF717
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03859723 mov eax, dword ptr fs:[00000030h]	2_2_03859723
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03863740 mov eax, dword ptr fs:[00000030h]	2_2_03863740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386174A mov eax, dword ptr fs:[00000030h]	2_2_0386174A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov ecx, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A750 mov eax, dword ptr fs:[00000030h]	2_2_0386A750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F75B mov eax, dword ptr fs:[00000030h]	2_2_0382F75B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE750 mov eax, dword ptr fs:[00000030h]	2_2_038DE750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842760 mov ecx, dword ptr fs:[00000030h]	2_2_03842760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03871763 mov eax, dword ptr fs:[00000030h]	2_2_03871763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860774 mov eax, dword ptr fs:[00000030h]	2_2_03860774
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834779 mov eax, dword ptr fs:[00000030h]	2_2_03834779
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834779 mov eax, dword ptr fs:[00000030h]	2_2_03834779
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF68C mov eax, dword ptr fs:[00000030h]	2_2_038EF68C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838690 mov eax, dword ptr fs:[00000030h]	2_2_03838690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC691 mov eax, dword ptr fs:[00000030h]	2_2_038BC691
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F86A8 mov eax, dword ptr fs:[00000030h]	2_2_038F86A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F86A8 mov eax, dword ptr fs:[00000030h]	2_2_038F86A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038306CF mov eax, dword ptr fs:[00000030h]	2_2_038306CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA6C0 mov eax, dword ptr fs:[00000030h]	2_2_038FA6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385D6D0 mov eax, dword ptr fs:[00000030h]	2_2_0385D6D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038296E0 mov eax, dword ptr fs:[00000030h]	2_2_038296E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038296E0 mov eax, dword ptr fs:[00000030h]	2_2_038296E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C6E0 mov eax, dword ptr fs:[00000030h]	2_2_0383C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038356E0 mov eax, dword ptr fs:[00000030h]	2_2_038356E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038356E0 mov eax, dword ptr fs:[00000030h]	2_2_038356E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038356E0 mov eax, dword ptr fs:[00000030h]	2_2_038356E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038566E0 mov eax, dword ptr fs:[00000030h]	2_2_038566E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038566E0 mov eax, dword ptr fs:[00000030h]	2_2_038566E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AC6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AC6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C3608 mov eax, dword ptr fs:[00000030h]	2_2_038C3608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385D600 mov eax, dword ptr fs:[00000030h]	2_2_0385D600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385D600 mov eax, dword ptr fs:[00000030h]	2_2_0385D600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF607 mov eax, dword ptr fs:[00000030h]	2_2_038EF607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386360F mov eax, dword ptr fs:[00000030h]	2_2_0386360F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904600 mov eax, dword ptr fs:[00000030h]	2_2_03904600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03837623 mov eax, dword ptr fs:[00000030h]	2_2_03837623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C mov ecx, dword ptr fs:[00000030h]	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C mov ecx, dword ptr fs:[00000030h]	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C mov eax, dword ptr fs:[00000030h]	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03835622 mov eax, dword ptr fs:[00000030h]	2_2_03835622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03835622 mov eax, dword ptr fs:[00000030h]	2_2_03835622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C620 mov eax, dword ptr fs:[00000030h]	2_2_0386C620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830630 mov eax, dword ptr fs:[00000030h]	2_2_03830630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860630 mov eax, dword ptr fs:[00000030h]	2_2_03860630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov esi, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov eax, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov eax, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386F63F mov eax, dword ptr fs:[00000030h]	2_2_0386F63F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386F63F mov eax, dword ptr fs:[00000030h]	2_2_0386F63F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03833640 mov eax, dword ptr fs:[00000030h]	2_2_03833640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F640 mov eax, dword ptr fs:[00000030h]	2_2_0384F640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F640 mov eax, dword ptr fs:[00000030h]	2_2_0384F640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384F640 mov eax, dword ptr fs:[00000030h]	2_2_0384F640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C640 mov eax, dword ptr fs:[00000030h]	2_2_0386C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C640 mov eax, dword ptr fs:[00000030h]	2_2_0386C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D64A mov eax, dword ptr fs:[00000030h]	2_2_0382D64A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D64A mov eax, dword ptr fs:[00000030h]	2_2_0382D64A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03865654 mov eax, dword ptr fs:[00000030h]	2_2_03865654
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383965A mov eax, dword ptr fs:[00000030h]	2_2_0383965A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383965A mov eax, dword ptr fs:[00000030h]	2_2_0383965A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov eax, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov ecx, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov eax, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03827662 mov eax, dword ptr fs:[00000030h]	2_2_03827662
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03827662 mov eax, dword ptr fs:[00000030h]	2_2_03827662
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03827662 mov eax, dword ptr fs:[00000030h]	2_2_03827662
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843660 mov eax, dword ptr fs:[00000030h]	2_2_03843660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843660 mov eax, dword ptr fs:[00000030h]	2_2_03843660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843660 mov eax, dword ptr fs:[00000030h]	2_2_03843660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov esi, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov eax, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov eax, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830670 mov eax, dword ptr fs:[00000030h]	2_2_03830670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872670 mov eax, dword ptr fs:[00000030h]	2_2_03872670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872670 mov eax, dword ptr fs:[00000030h]	2_2_03872670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE588 mov eax, dword ptr fs:[00000030h]	2_2_038AE588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE588 mov eax, dword ptr fs:[00000030h]	2_2_038AE588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03869580 mov eax, dword ptr fs:[00000030h]	2_2_03869580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03869580 mov eax, dword ptr fs:[00000030h]	2_2_03869580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A580 mov eax, dword ptr fs:[00000030h]	2_2_0386A580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A580 mov eax, dword ptr fs:[00000030h]	2_2_0386A580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF582 mov eax, dword ptr fs:[00000030h]	2_2_038EF582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862594 mov eax, dword ptr fs:[00000030h]	2_2_03862594
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC592 mov eax, dword ptr fs:[00000030h]	2_2_038BC592
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B85AA mov eax, dword ptr fs:[00000030h]	2_2_038B85AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038345B0 mov eax, dword ptr fs:[00000030h]	2_2_038345B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038345B0 mov eax, dword ptr fs:[00000030h]	2_2_038345B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5C6 mov eax, dword ptr fs:[00000030h]	2_2_0386C5C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F5C7 mov eax, dword ptr fs:[00000030h]	2_2_0382F5C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05C6 mov eax, dword ptr fs:[00000030h]	2_2_038B05C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038665D0 mov eax, dword ptr fs:[00000030h]	2_2_038665D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5E7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5E7 mov eax, dword ptr fs:[00000030h]	2_2_0386A5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383B5E0 mov eax, dword ptr fs:[00000030h]	2_2_0383B5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038615EF mov eax, dword ptr fs:[00000030h]	2_2_038615EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC5FC mov eax, dword ptr fs:[00000030h]	2_2_038BC5FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382B502 mov eax, dword ptr fs:[00000030h]	2_2_0382B502
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832500 mov eax, dword ptr fs:[00000030h]	2_2_03832500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C50D mov eax, dword ptr fs:[00000030h]	2_2_0386C50D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C50D mov eax, dword ptr fs:[00000030h]	2_2_0386C50D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03851514 mov eax, dword ptr fs:[00000030h]	2_2_03851514
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC51D mov eax, dword ptr fs:[00000030h]	2_2_038BC51D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov ecx, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov ecx, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DF51B mov eax, dword ptr fs:[00000030h]	2_2_038DF51B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00426DA1 CreateFileW,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError,

0_2_00426DA1

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004230F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00417D93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x7FFCCBAC2651	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x4535A62	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x453D7BF	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtResumeThread: Direct from: 0x4535CA8	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtClose: Direct from: 0x7FFC97F09E7F

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wextract.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 6284			Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Thread register set: target process: 6284			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment Advice.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EE7008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_0040D6D0

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_004375B0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00436431 mouse_event,mouse_event,

0_2_00436431

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"			Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: RAVCpl64.exe, 00000003.00000000.71836667546.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.76597037141.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.73373612765.0000000001970000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Payment Advice.exe, RAVCpl64.exe, 00000003.00000000.71836667546.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.76597037141.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.73375745212.0000000005060000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.76595282087.0000000001220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.73373030322.0000000001220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman"
Source: RAVCpl64.exe, 00000003.00000000.71836667546.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.76597037141.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.73373612765.0000000001970000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Payment Advice.exe, 00000000.00000002.71528186776.0000000000482000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: RAVCpl64.exe, 00000003.00000000.71836667546.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.76597037141.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.73373612765.0000000001970000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0042039F GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0042039F

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: Payment Advice.exe, 00000000.00000002.71528186776.0000000000482000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Payment Advice.exe	Binary or memory string: WIN_XP
Source: Payment Advice.exe	Binary or memory string: WIN_XPe
Source: Payment Advice.exe	Binary or memory string: WIN_VISTA
Source: Payment Advice.exe	Binary or memory string: WIN_7

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.73447019188.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.73447097868.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71906788419.0000000005EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.71902213370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0047AD92 OleInitialize,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92

ID:	1528908
Product:	CloudBasic
Start time:	12:58:14
Start date:	08.10.2024
Sample:	Payment Advice.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	959ff310cff226f065ec9692dd5b0852
SHA1:	7273bf0d8bcb9bf94fd5ad26d3973dcd6cf2b7bd
SHA256:	76d1094922df386d7078ab5c8b81fbff3644afd31aaceee935b60a85866b0162
Filetype:	Win32 Executable (generic) a (10002005/4) 94.59%

Windows Analysis Report
Payment Advice.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Payment Advice.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Payment Advice.exe

Malware Threat Intel
Provided by