Windows Analysis Report
AdobePDFViewer.exe

AI detected suspicious sample

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: AdobePDFViewer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: chkdsk.pdbGCTL source: svchost.exe, 00000002.00000003.1541323150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541897684.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3845043028.0000000000D90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: svchost.exe, 00000002.00000003.1541323150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541897684.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3845043028.0000000000D90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AdobePDFViewer.exe, 00000000.00000003.1408965989.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, AdobePDFViewer.exe, 00000000.00000003.1415328484.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542153393.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1418731751.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1416389741.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542153393.000000000369E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1543695522.0000000005717000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846214986.0000000005A5E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1541913591.0000000005560000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846214986.00000000058C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AdobePDFViewer.exe, 00000000.00000003.1408965989.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, AdobePDFViewer.exe, 00000000.00000003.1415328484.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1542153393.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1418731751.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1416389741.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542153393.000000000369E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000005.00000003.1543695522.0000000005717000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846214986.0000000005A5E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1541913591.0000000005560000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846214986.00000000058C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3860967598.000000001085F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846982766.0000000005E0F000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3845302098.0000000005168000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3860967598.000000001085F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846982766.0000000005E0F000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3845302098.0000000005168000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi		2_2_00416CBC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi		5_2_05106CBC

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.kimosskrupulslacker.cfd/f29s/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.lywjv-issue.xyz
Source:	DNS query: www.plqz-move.xyz
Source:	DNS query: www.vtyo-phone.xyz
Source:	DNS query: www.specially-smou.xyz
Source:	DNS query: www.uqhi42.xyz
Source:	DNS query: www.nit-dreeu.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.plqz-move.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ovt-jobs-lisitings00810.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lywjv-issue.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.uqhi42.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.vtyo-phone.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nit-dreeu.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.rostnixon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aresrasherregard.cfd replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.kimosskrupulslacker.cfd replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.alembottling.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.specially-smou.xyz replaycode: Name error (3)

Source: unknown	DNS traffic detected: query: www.plqz-move.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ovt-jobs-lisitings00810.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lywjv-issue.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.uqhi42.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.vtyo-phone.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nit-dreeu.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.rostnixon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aresrasherregard.cfd replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.kimosskrupulslacker.cfd replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.alembottling.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.specially-smou.xyz replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: global traffic	DNS traffic detected: DNS query: www.lywjv-issue.xyz
Source: global traffic	DNS traffic detected: DNS query: www.plqz-move.xyz
Source: global traffic	DNS traffic detected: DNS query: www.rostnixon.net
Source: global traffic	DNS traffic detected: DNS query: www.vtyo-phone.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ovt-jobs-lisitings00810.today
Source: global traffic	DNS traffic detected: DNS query: www.specially-smou.xyz
Source: global traffic	DNS traffic detected: DNS query: www.aresrasherregard.cfd
Source: global traffic	DNS traffic detected: DNS query: www.uqhi42.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kimosskrupulslacker.cfd
Source: global traffic	DNS traffic detected: DNS query: www.alembottling.net
Source: global traffic	DNS traffic detected: DNS query: www.nit-dreeu.xyz

Source: explorer.exe, 00000003.00000003.2475318909.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000003.2475318909.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000003.2475318909.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000003.2475318909.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3853539300.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1422234527.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1425719103.0000000007670000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alembottling.net
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alembottling.net/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alembottling.net/f29s/www.nit-dreeu.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alembottling.netReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aresrasherregard.cfd
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aresrasherregard.cfd/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aresrasherregard.cfd/f29s/www.uqhi42.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aresrasherregard.cfdReferer:
Source: explorer.exe, 00000003.00000003.2472712294.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291296923.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427268605.00000000085D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3853986057.00000000085E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awqs-wonder.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awqs-wonder.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awqs-wonder.xyz/f29s/www.ccloudserve.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awqs-wonder.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ccloudserve.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ccloudserve.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ccloudserve.xyz/f29s/www.wqvn-environment.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ccloudserve.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/f29s/www.alembottling.net
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ise-bjnh.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ise-bjnh.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ise-bjnh.xyz/f29s/www.awqs-wonder.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ise-bjnh.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kimosskrupulslacker.cfd
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kimosskrupulslacker.cfd/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kimosskrupulslacker.cfd/f29s/www.duxrib.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kimosskrupulslacker.cfdReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lywjv-issue.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lywjv-issue.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lywjv-issue.xyz/f29s/www.plqz-move.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lywjv-issue.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nit-dreeu.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nit-dreeu.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nit-dreeu.xyz/f29s/www.ise-bjnh.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nit-dreeu.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovt-jobs-lisitings00810.today
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovt-jobs-lisitings00810.today/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovt-jobs-lisitings00810.today/f29s/www.specially-smou.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovt-jobs-lisitings00810.todayReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.plqz-move.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.plqz-move.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.plqz-move.xyz/f29s/www.rostnixon.net
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.plqz-move.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rostnixon.net
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rostnixon.net/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rostnixon.net/f29s/www.vtyo-phone.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rostnixon.netReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.specially-smou.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.specially-smou.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.specially-smou.xyz/f29s/www.aresrasherregard.cfd
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.specially-smou.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uqhi42.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uqhi42.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uqhi42.xyz/f29s/www.kimosskrupulslacker.cfd
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uqhi42.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vtyo-phone.xyz
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vtyo-phone.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vtyo-phone.xyz/f29s/www.ovt-jobs-lisitings00810.today
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vtyo-phone.xyzReferer:
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wqvn-environment.xyz
Source: explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wqvn-environment.xyz/f29s/
Source: explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wqvn-environment.xyzReferer:
Source: explorer.exe, 00000003.00000000.1432619537.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
Source: explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSJM
Source: explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSZM
Source: explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 00000003.00000003.2475318909.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/rT
Source: explorer.exe, 00000003.00000003.2475318909.0000000008650000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 00000003.00000003.2475318909.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
Source: explorer.exe, 00000003.00000003.2475318909.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/~T
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2474921902.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1422582646.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000003.2475318909.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 00000003.00000002.3858527399.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2472878488.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290736750.000000000BDE7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000003.00000002.3858527399.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2472878488.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290736750.000000000BDE7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 00000003.00000002.3858527399.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2472878488.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290736750.000000000BDE7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.3855106750.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473546587.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.000000000899E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 00000003.00000002.3858527399.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2472878488.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290736750.000000000BDE7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00459FFF

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00456354

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0047C08E

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3860609031.0000000010254000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: AdobePDFViewer.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A330 NtCreateFile,	2_2_0041A330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A3E0 NtReadFile,	2_2_0041A3E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A460 NtClose,	2_2_0041A460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A510 NtAllocateVirtualMemory,	2_2_0041A510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A48B NtClose,	2_2_0041A48B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A50C NtAllocateVirtualMemory,	2_2_0041A50C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B60 NtClose,LdrInitializeThunk,	2_2_03572B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03572BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AD0 NtReadFile,LdrInitializeThunk,	2_2_03572AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F30 NtCreateSection,LdrInitializeThunk,	2_2_03572F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FE0 NtCreateFile,LdrInitializeThunk,	2_2_03572FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03572F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FB0 NtResumeThread,LdrInitializeThunk,	2_2_03572FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03572E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03572EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03572D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03572D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03572DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03572DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03572C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03572CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574340 NtSetContextThread,	2_2_03574340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574650 NtSuspendThread,	2_2_03574650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BE0 NtQueryValueKey,	2_2_03572BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B80 NtQueryInformationFile,	2_2_03572B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BA0 NtEnumerateValueKey,	2_2_03572BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AF0 NtWriteFile,	2_2_03572AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AB0 NtWaitForSingleObject,	2_2_03572AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F60 NtCreateProcessEx,	2_2_03572F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FA0 NtQuerySection,	2_2_03572FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E30 NtWriteVirtualMemory,	2_2_03572E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EE0 NtQueueApcThread,	2_2_03572EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D00 NtSetInformationFile,	2_2_03572D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DB0 NtEnumerateKey,	2_2_03572DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C60 NtCreateKey,	2_2_03572C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C00 NtQueryInformationProcess,	2_2_03572C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CC0 NtQueryVirtualMemory,	2_2_03572CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CF0 NtOpenProcess,	2_2_03572CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573010 NtOpenDirectoryObject,	2_2_03573010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573090 NtSetValueKey,	2_2_03573090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035735C0 NtCreateMutant,	2_2_035735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035739B0 NtGetContextThread,	2_2_035739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D70 NtOpenThread,	2_2_03573D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D10 NtOpenProcessToken,	2_2_03573D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	2_2_0340A036
Source: C:\Windows\explorer.exe	Code function: 3_2_1023C232 NtCreateFile,	3_2_1023C232
Source: C:\Windows\explorer.exe	Code function: 3_2_1023DE12 NtProtectVirtualMemory,	3_2_1023DE12
Source: C:\Windows\explorer.exe	Code function: 3_2_1023DE0A NtProtectVirtualMemory,	3_2_1023DE0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932DD0 NtDelayExecution,LdrInitializeThunk,	5_2_05932DD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_05932DF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_05932D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_05932CA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_05932C70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932C60 NtCreateKey,LdrInitializeThunk,	5_2_05932C60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932FE0 NtCreateFile,LdrInitializeThunk,	5_2_05932FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932F30 NtCreateSection,LdrInitializeThunk,	5_2_05932F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_05932EA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_05932BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_05932BE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932B60 NtClose,LdrInitializeThunk,	5_2_05932B60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932AD0 NtReadFile,LdrInitializeThunk,	5_2_05932AD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059335C0 NtCreateMutant,LdrInitializeThunk,	5_2_059335C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05934650 NtSuspendThread,	5_2_05934650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05934340 NtSetContextThread,	5_2_05934340
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932DB0 NtEnumerateKey,	5_2_05932DB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932D00 NtSetInformationFile,	5_2_05932D00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932D30 NtUnmapViewOfSection,	5_2_05932D30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932CC0 NtQueryVirtualMemory,	5_2_05932CC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932CF0 NtOpenProcess,	5_2_05932CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932C00 NtQueryInformationProcess,	5_2_05932C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932F90 NtProtectVirtualMemory,	5_2_05932F90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932FB0 NtResumeThread,	5_2_05932FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932FA0 NtQuerySection,	5_2_05932FA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932F60 NtCreateProcessEx,	5_2_05932F60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932E80 NtReadVirtualMemory,	5_2_05932E80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932EE0 NtQueueApcThread,	5_2_05932EE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932E30 NtWriteVirtualMemory,	5_2_05932E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932B80 NtQueryInformationFile,	5_2_05932B80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932BA0 NtEnumerateValueKey,	5_2_05932BA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932AB0 NtWaitForSingleObject,	5_2_05932AB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932AF0 NtWriteFile,	5_2_05932AF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05933090 NtSetValueKey,	5_2_05933090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05933010 NtOpenDirectoryObject,	5_2_05933010
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05933D10 NtOpenProcessToken,	5_2_05933D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05933D70 NtOpenThread,	5_2_05933D70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059339B0 NtGetContextThread,	5_2_059339B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510A510 NtAllocateVirtualMemory,	5_2_0510A510
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510A460 NtClose,	5_2_0510A460
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510A330 NtCreateFile,	5_2_0510A330
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510A3E0 NtReadFile,	5_2_0510A3E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510A50C NtAllocateVirtualMemory,	5_2_0510A50C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510A48B NtClose,	5_2_0510A48B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0570A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	5_2_0570A036
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05709BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	5_2_05709BAF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0570A042 NtQueryInformationProcess,	5_2_0570A042
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05709BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_05709BB2

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004461ED

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004364AA

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004045E0	0_2_004045E0
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_03FD3658	0_2_03FD3658
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EB53	2_2_0041EB53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E50C	2_2_0041E50C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E524	2_2_0041E524
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E5B	2_2_00409E5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D6C9	2_2_0041D6C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036003E6	2_2_036003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C02C0	2_2_035C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530100	2_2_03530100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F81CC	2_2_035F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036001AA	2_2_036001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F41A2	2_2_035F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564750	2_2_03564750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C6E0	2_2_0355C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03600591	2_2_03600591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F2446	2_2_035F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4420	2_2_035E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EE4F6	2_2_035EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F6BD7	2_2_035F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360A9A6	2_2_0360A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354A840	2_2_0354A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E8F0	2_2_0356E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035268B8	2_2_035268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4F40	2_2_035B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560F30	2_2_03560F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E2F30	2_2_035E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03582F28	2_2_03582F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532FC8	2_2_03532FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354CFE0	2_2_0354CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BEFA0	2_2_035BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540E59	2_2_03540E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEE26	2_2_035FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEEDB	2_2_035FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552E90	2_2_03552E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FCE93	2_2_035FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DCD1F	2_2_035DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354AD00	2_2_0354AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353ADE0	2_2_0353ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03558DBF	2_2_03558DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540C00	2_2_03540C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530CF2	2_2_03530CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0CB5	2_2_035E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352D34C	2_2_0352D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F132D	2_2_035F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0358739A	2_2_0358739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B2C0	2_2_0355B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E12ED	2_2_035E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035452A0	2_2_035452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360B16B	2_2_0360B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352F172	2_2_0352F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357516C	2_2_0357516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354B1B0	2_2_0354B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EF0CC	2_2_035EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035470C0	2_2_035470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F70E9	2_2_035F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF0E0	2_2_035FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF7B0	2_2_035FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585630	2_2_03585630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F16CC	2_2_035F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7571	2_2_035F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036095C3	2_2_036095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DD5B0	2_2_035DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03531460	2_2_03531460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF43F	2_2_035FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFB76	2_2_035FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B5BF0	2_2_035B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357DBF9	2_2_0357DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FB80	2_2_0355FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFA49	2_2_035FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7A46	2_2_035F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B3A6C	2_2_035B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EDAC6	2_2_035EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DDAAC	2_2_035DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585AA0	2_2_03585AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E1AA3	2_2_035E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549950	2_2_03549950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B950	2_2_0355B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D5910	2_2_035D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AD800	2_2_035AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035438E0	2_2_035438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFF09	2_2_035FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503FD2	2_2_03503FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503FD5	2_2_03503FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03541F92	2_2_03541F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFFB1	2_2_035FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549EB0	2_2_03549EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F1D5A	2_2_035F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03543D40	2_2_03543D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7D73	2_2_035F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FDC0	2_2_0355FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B9C32	2_2_035B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFCF2	2_2_035FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340A036	2_2_0340A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340B232	2_2_0340B232
Source: C:\Windows\explorer.exe	Code function: 3_2_100AF036	3_2_100AF036
Source: C:\Windows\explorer.exe	Code function: 3_2_100A6082	3_2_100A6082
Source: C:\Windows\explorer.exe	Code function: 3_2_100A7D02	3_2_100A7D02
Source: C:\Windows\explorer.exe	Code function: 3_2_100AD912	3_2_100AD912
Source: C:\Windows\explorer.exe	Code function: 3_2_100B35CD	3_2_100B35CD
Source: C:\Windows\explorer.exe	Code function: 3_2_100B0232	3_2_100B0232
Source: C:\Windows\explorer.exe	Code function: 3_2_100AAB32	3_2_100AAB32
Source: C:\Windows\explorer.exe	Code function: 3_2_100AAB30	3_2_100AAB30
Source: C:\Windows\explorer.exe	Code function: 3_2_1023C232	3_2_1023C232
Source: C:\Windows\explorer.exe	Code function: 3_2_1023B036	3_2_1023B036
Source: C:\Windows\explorer.exe	Code function: 3_2_10232082	3_2_10232082
Source: C:\Windows\explorer.exe	Code function: 3_2_10236B32	3_2_10236B32
Source: C:\Windows\explorer.exe	Code function: 3_2_10236B30	3_2_10236B30
Source: C:\Windows\explorer.exe	Code function: 3_2_10233D02	3_2_10233D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10239912	3_2_10239912
Source: C:\Windows\explorer.exe	Code function: 3_2_1023F5CD	3_2_1023F5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_105BB036	3_2_105BB036
Source: C:\Windows\explorer.exe	Code function: 3_2_105B2082	3_2_105B2082
Source: C:\Windows\explorer.exe	Code function: 3_2_105B9912	3_2_105B9912
Source: C:\Windows\explorer.exe	Code function: 3_2_105B3D02	3_2_105B3D02
Source: C:\Windows\explorer.exe	Code function: 3_2_105BF5CD	3_2_105BF5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_105BC232	3_2_105BC232
Source: C:\Windows\explorer.exe	Code function: 3_2_105B6B32	3_2_105B6B32
Source: C:\Windows\explorer.exe	Code function: 3_2_105B6B30	3_2_105B6B30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059C0591	5_2_059C0591
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05900535	5_2_05900535
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059AE4F6	5_2_059AE4F6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059A4420	5_2_059A4420
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B2446	5_2_059B2446
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058FC7C0	5_2_058FC7C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05924750	5_2_05924750
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05900770	5_2_05900770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591C6E0	5_2_0591C6E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059C01AA	5_2_059C01AA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B41A2	5_2_059B41A2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B81CC	5_2_059B81CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0599A118	5_2_0599A118
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F0100	5_2_058F0100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05988158	5_2_05988158
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05992000	5_2_05992000
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0590E3F0	5_2_0590E3F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059C03E6	5_2_059C03E6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BA352	5_2_059BA352
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059802C0	5_2_059802C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059A0274	5_2_059A0274
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05918DBF	5_2_05918DBF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058FADE0	5_2_058FADE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0599CD1F	5_2_0599CD1F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0590AD00	5_2_0590AD00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059A0CB5	5_2_059A0CB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F0CF2	5_2_058F0CF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05900C00	5_2_05900C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0597EFA0	5_2_0597EFA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F2FC8	5_2_058F2FC8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0590CFE0	5_2_0590CFE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05920F30	5_2_05920F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059A2F30	5_2_059A2F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05942F28	5_2_05942F28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05974F40	5_2_05974F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05912E90	5_2_05912E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BCE93	5_2_059BCE93
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BEEDB	5_2_059BEEDB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BEE26	5_2_059BEE26
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05900E59	5_2_05900E59
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059029A0	5_2_059029A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059CA9A6	5_2_059CA9A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05916962	5_2_05916962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058E68B8	5_2_058E68B8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0592E8F0	5_2_0592E8F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0590A840	5_2_0590A840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05902840	5_2_05902840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B6BD7	5_2_059B6BD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BAB40	5_2_059BAB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058FEA80	5_2_058FEA80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0599D5B0	5_2_0599D5B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059C95C3	5_2_059C95C3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B7571	5_2_059B7571
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BF43F	5_2_059BF43F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F1460	5_2_058F1460
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BF7B0	5_2_059BF7B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B16CC	5_2_059B16CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05945630	5_2_05945630
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0590B1B0	5_2_0590B1B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059CB16B	5_2_059CB16B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058EF172	5_2_058EF172
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593516C	5_2_0593516C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059070C0	5_2_059070C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059AF0CC	5_2_059AF0CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B70E9	5_2_059B70E9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BF0E0	5_2_059BF0E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0594739A	5_2_0594739A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B132D	5_2_059B132D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058ED34C	5_2_058ED34C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059052A0	5_2_059052A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591B2C0	5_2_0591B2C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059A12ED	5_2_059A12ED
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591FDC0	5_2_0591FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B1D5A	5_2_059B1D5A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05903D40	5_2_05903D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B7D73	5_2_059B7D73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BFCF2	5_2_059BFCF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05979C32	5_2_05979C32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05901F92	5_2_05901F92
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BFFB1	5_2_059BFFB1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BFF09	5_2_059BFF09
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05909EB0	5_2_05909EB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05995910	5_2_05995910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05909950	5_2_05909950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591B950	5_2_0591B950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059038E0	5_2_059038E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0596D800	5_2_0596D800
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591FB80	5_2_0591FB80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05975BF0	5_2_05975BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593DBF9	5_2_0593DBF9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BFB76	5_2_059BFB76
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05945AA0	5_2_05945AA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0599DAAC	5_2_0599DAAC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059A1AA3	5_2_059A1AA3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059ADAC6	5_2_059ADAC6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059BFA49	5_2_059BFA49
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059B7A46	5_2_059B7A46
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05973A6C	5_2_05973A6C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510E50C	5_2_0510E50C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510E524	5_2_0510E524
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510D6C9	5_2_0510D6C9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050F2D87	5_2_050F2D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050F2D90	5_2_050F2D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050F2FB0	5_2_050F2FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050F9E5B	5_2_050F9E5B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050F9E60	5_2_050F9E60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510EB53	5_2_0510EB53
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0570A036	5_2_0570A036
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05702D02	5_2_05702D02
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0570E5CD	5_2_0570E5CD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05708912	5_2_05708912
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05701082	5_2_05701082
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05705B30	5_2_05705B30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05705B32	5_2_05705B32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0570B232	5_2_0570B232

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05935130 appears 58 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0597F290 appears 105 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 058EB970 appears 280 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0596EA12 appears 86 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05947E54 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03587E54 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0352B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03575130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035BF290 appears 105 times
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: String function: 0040E6D0 appears 35 times

Source: AdobePDFViewer.exe, 00000000.00000003.1414342862.000000000487D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AdobePDFViewer.exe
Source: AdobePDFViewer.exe, 00000000.00000003.1407103963.00000000046D3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AdobePDFViewer.exe

Source: AdobePDFViewer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3860609031.0000000010254000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: AdobePDFViewer.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@521/1@11/0

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464422
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

File created: C:\Users\user\AppData\Local\Temp\unjust

Source: AdobePDFViewer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: AdobePDFViewer.exe

ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

File read: C:\Users\user\Desktop\AdobePDFViewer.exe

Source: unknown	Process created: C:\Users\user\Desktop\AdobePDFViewer.exe "C:\Users\user\Desktop\AdobePDFViewer.exe"
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AdobePDFViewer.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AdobePDFViewer.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: AdobePDFViewer.exe

Static file information: File size 1295083 > 1048576

Source:	Binary string: chkdsk.pdbGCTL source: svchost.exe, 00000002.00000003.1541323150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541897684.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3845043028.0000000000D90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: svchost.exe, 00000002.00000003.1541323150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541897684.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3845043028.0000000000D90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AdobePDFViewer.exe, 00000000.00000003.1408965989.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, AdobePDFViewer.exe, 00000000.00000003.1415328484.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542153393.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1418731751.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1416389741.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542153393.000000000369E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1543695522.0000000005717000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846214986.0000000005A5E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1541913591.0000000005560000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846214986.00000000058C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AdobePDFViewer.exe, 00000000.00000003.1408965989.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, AdobePDFViewer.exe, 00000000.00000003.1415328484.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1542153393.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1418731751.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1416389741.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542153393.000000000369E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000005.00000003.1543695522.0000000005717000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846214986.0000000005A5E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1541913591.0000000005560000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846214986.00000000058C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3860967598.000000001085F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846982766.0000000005E0F000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3845302098.0000000005168000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3860967598.000000001085F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3846982766.0000000005E0F000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3845302098.0000000005168000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Source: AdobePDFViewer.exe

Static PE information: real checksum: 0xa2135 should be: 0x14bd50

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004171D1 push ecx; ret	0_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004082D5 push ebp; ret	2_2_004082D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EB46 push cs; ret	2_2_0041EB48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4D2 push eax; ret	2_2_0041D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4DB push eax; ret	2_2_0041D542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408CF5 push eax; ret	2_2_00408CF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D485 push eax; ret	2_2_0041D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D53C push eax; ret	2_2_0041D542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004175A6 push ss; retf	2_2_004175C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004175B0 push ss; retf	2_2_004175C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041673B push edi; retf	2_2_00416745
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004177A0 push ds; iretw	2_2_004177B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350225F pushad ; ret	2_2_035027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035027FA pushad ; ret	2_2_035027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx	2_2_035309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350283D push eax; iretd	2_2_03502858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350135E push eax; iretd	2_2_03501369
Source: C:\Windows\explorer.exe	Code function: 3_2_100B39B5 push esp; retn 0000h	3_2_100B3AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_100B3B02 push esp; retn 0000h	3_2_100B3B03
Source: C:\Windows\explorer.exe	Code function: 3_2_100B3B1E push esp; retn 0000h	3_2_100B3B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_1023FB02 push esp; retn 0000h	3_2_1023FB03
Source: C:\Windows\explorer.exe	Code function: 3_2_1023FB1E push esp; retn 0000h	3_2_1023FB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_1023F9B5 push esp; retn 0000h	3_2_1023FAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_105BF9B5 push esp; retn 0000h	3_2_105BFAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_105BFB1E push esp; retn 0000h	3_2_105BFB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_105BFB02 push esp; retn 0000h	3_2_105BFB03
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F09AD push ecx; mov dword ptr [esp], ecx	5_2_058F09B6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510D53C push eax; ret	5_2_0510D542
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_051075B0 push ss; retf	5_2_051075C8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_051075A6 push ss; retf	5_2_051075C8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0510D485 push eax; ret	5_2_0510D4D8

Hooking and other Techniques for Hiding and Protection

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (91).png

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004772DE
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004375B0

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_00444078

0_2_00444078

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	API/Special instruction interceptor: Address: 3FD327C
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF908190774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818DA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF908190774
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF90818D8A4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 50F9904 second address: 50F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 50F9B7E second address: 50F9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1624	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8318	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 881	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 794	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 9177	Jump to behavior

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.1 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 2.2 %

Source: C:\Windows\explorer.exe TID: 7892	Thread sleep count: 1624 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7892	Thread sleep time: -3248000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7892	Thread sleep count: 8318 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7892	Thread sleep time: -16636000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 7860	Thread sleep count: 794 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 7860	Thread sleep time: -1588000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 7860	Thread sleep count: 9177 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 7860	Thread sleep time: -18354000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: explorer.exe, 00000003.00000003.2475318909.000000000888E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: explorer.exe, 00000003.00000003.2473546587.0000000008979000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00`
Source: explorer.exe, 00000003.00000003.2475318909.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000003.00000003.2475318909.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008796000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: explorer.exe, 00000003.00000003.2474150130.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2475318909.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2475318909.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.3845490851.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
Source: explorer.exe, 00000003.00000003.2475318909.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
Source: explorer.exe, 00000003.00000000.1427716514.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000000.1427716514.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 00000003.00000002.3845490851.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000000.1427716514.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3845490851.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1427716514.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D6D0

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_03FD3548 mov eax, dword ptr fs:[00000030h]	0_2_03FD3548
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_03FD34E8 mov eax, dword ptr fs:[00000030h]	0_2_03FD34E8
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_03FD1EB8 mov eax, dword ptr fs:[00000030h]	0_2_03FD1EB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8350 mov ecx, dword ptr fs:[00000030h]	2_2_035D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]	2_2_035D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360634F mov eax, dword ptr fs:[00000030h]	2_2_0360634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]	2_2_0352C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov ecx, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]	2_2_03550310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]	2_2_035EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]	2_2_035B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]	2_2_035663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]	2_2_0352A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]	2_2_03536259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]	2_2_0352826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360625D mov eax, dword ptr fs:[00000030h]	2_2_0360625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]	2_2_0352823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036062D6 mov eax, dword ptr fs:[00000030h]	2_2_036062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]	2_2_035402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]	2_2_035402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]	2_2_0352C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]	2_2_035F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]	2_2_03560124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]	2_2_036061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]	2_2_035601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]	2_2_03570185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]	2_2_03532050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]	2_2_035B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]	2_2_0355C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]	2_2_035B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]	2_2_035C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]	2_2_0352A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]	2_2_0352C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]	2_2_035B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0352C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]	2_2_035720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0352A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]	2_2_035380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]	2_2_035B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]	2_2_0353208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035280A0 mov eax, dword ptr fs:[00000030h]	2_2_035280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]	2_2_035C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]	2_2_03530750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]	2_2_035BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]	2_2_035B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]	2_2_03538770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]	2_2_03530710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]	2_2_03560710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]	2_2_0356C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]	2_2_035AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]	2_2_035B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_035BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]	2_2_035D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]	2_2_035307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E47A0 mov eax, dword ptr fs:[00000030h]	2_2_035E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]	2_2_0354C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]	2_2_03562674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]	2_2_03572619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]	2_2_035AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]	2_2_0354E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]	2_2_03566620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]	2_2_03568620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]	2_2_0353262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]	2_2_035666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0356C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]	2_2_035C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]	2_2_035365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]	2_2_035325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]	2_2_0356E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]	2_2_03564588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA456 mov eax, dword ptr fs:[00000030h]	2_2_035EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]	2_2_0352645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]	2_2_0355245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]	2_2_035BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]	2_2_0356A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]	2_2_0352C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]	2_2_035304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA49A mov eax, dword ptr fs:[00000030h]	2_2_035EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]	2_2_035644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_035BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]	2_2_035364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528B50 mov eax, dword ptr fs:[00000030h]	2_2_03528B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEB50 mov eax, dword ptr fs:[00000030h]	2_2_035DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]	2_2_035D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]	2_2_0352CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604B00 mov eax, dword ptr fs:[00000030h]	2_2_03604B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_035DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]	2_2_0355EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_035BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEA60 mov eax, dword ptr fs:[00000030h]	2_2_035DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]	2_2_035BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]	2_2_0356CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]	2_2_0356CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]	2_2_0355EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]	2_2_03530AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]	2_2_03568A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]	2_2_03604A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]	2_2_03586AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]	2_2_035B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604940 mov eax, dword ptr fs:[00000030h]	2_2_03604940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]	2_2_035BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]	2_2_035BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]	2_2_035B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]	2_2_035C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]	2_2_035649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_035FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]	2_2_035C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_035BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]	2_2_03560854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]	2_2_035BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00426DA1

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3504	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3504	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3504	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: D90000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2BAA008

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

0_2_0040D6D0

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004375B0

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_00436431

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AdobePDFViewer.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: explorer.exe, 00000003.00000002.3846107212.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1421700807.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: AdobePDFViewer.exe, explorer.exe, 00000003.00000003.2474150130.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3846107212.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1423577736.0000000004480000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.3846107212.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1421700807.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: AdobePDFViewer.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000002.3846107212.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1421700807.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.1421211275.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3845490851.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanq

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_0042039F

Source: C:\Users\user\Desktop\AdobePDFViewer.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Stealing of Sensitive Information

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: AdobePDFViewer.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: AdobePDFViewer.exe	Binary or memory string: WIN_XP
Source: AdobePDFViewer.exe	Binary or memory string: WIN_XPe
Source: AdobePDFViewer.exe	Binary or memory string: WIN_VISTA
Source: AdobePDFViewer.exe	Binary or memory string: WIN_7

Remote Access Functionality

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AdobePDFViewer.exe.2f60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AdobePDFViewer.exe.2f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\AdobePDFViewer.exe	Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	215 System Information Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	512 Process Injection	1 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	512 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AdobePDFViewer.exe	58%	ReversingLabs	Win32.Backdoor.FormBook

Source	Detection	Scanner	Label
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.aresrasherregard.cfd	unknown	unknown	true	unknown
www.alembottling.net	unknown	unknown	true	unknown
www.uqhi42.xyz	unknown	unknown	true	unknown
www.ovt-jobs-lisitings00810.today	unknown	unknown	true	unknown
www.lywjv-issue.xyz	unknown	unknown	true	unknown
www.kimosskrupulslacker.cfd	unknown	unknown	true	unknown
www.vtyo-phone.xyz	unknown	unknown	true	unknown
www.rostnixon.net	unknown	unknown	true	unknown
www.plqz-move.xyz	unknown	unknown	true	unknown
www.specially-smou.xyz	unknown	unknown	true	unknown
www.nit-dreeu.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.kimosskrupulslacker.cfd/f29s/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.kimosskrupulslacker.cfd	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lywjv-issue.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rostnixon.netReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ccloudserve.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns.windows.com/bat	explorer.exe, 00000003.00000002.3855106750.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473546587.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.000000000899E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.stacker.com/arizona/phoenix	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.specially-smou.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2474921902.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1422582646.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000003.00000002.3858527399.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2472878488.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290736750.000000000BDE7000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.duxrib.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.awqs-wonder.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(	explorer.exe, 00000003.00000000.1432619537.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.uqhi42.xyz/f29s/www.kimosskrupulslacker.cfd	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ccloudserve.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.nit-dreeu.xyz/f29s/www.ise-bjnh.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.kimosskrupulslacker.cfd/f29s/www.duxrib.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.uqhi42.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.awqs-wonder.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSp	explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/rT	explorer.exe, 00000003.00000003.2475318909.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008796000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.duxrib.xyz/f29s/www.alembottling.net	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.specially-smou.xyz/f29s/www.aresrasherregard.cfd	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.duxrib.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000003.2472712294.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291296923.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427268605.00000000085D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3853986057.00000000085E3000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ise-bjnh.xyz/f29s/www.awqs-wonder.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.com	explorer.exe, 00000003.00000002.3858527399.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2472878488.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290736750.000000000BDE7000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.uqhi42.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ise-bjnh.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.wqvn-environment.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ovt-jobs-lisitings00810.today/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.plqz-move.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSJM	explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.aresrasherregard.cfd/f29s/www.uqhi42.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.plqz-move.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lywjv-issue.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com	explorer.exe, 00000003.00000002.3858527399.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2472878488.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290736750.000000000BDE7000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.alembottling.net	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ise-bjnh.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rostnixon.net/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSZM	explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ise-bjnh.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.yelp.com	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.specially-smou.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.awqs-wonder.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.nit-dreeu.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rostnixon.net	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?z$	explorer.exe, 00000003.00000003.2475318909.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008685000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.wqvn-environment.xyz/f29s/	explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.alembottling.net/f29s/www.nit-dreeu.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.vtyo-phone.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.vtyo-phone.xyz/f29s/www.ovt-jobs-lisitings00810.today	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000003.00000002.3853539300.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1422234527.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1425719103.0000000007670000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nit-dreeu.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rostnixon.net/f29s/www.vtyo-phone.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.vtyo-phone.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://parade.com/61481/toriavey/where-did-hamburgers-originate	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.kimosskrupulslacker.cfdReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.plqz-move.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lywjv-issue.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.awqs-wonder.xyz/f29s/www.ccloudserve.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lywjv-issue.xyz/f29s/www.plqz-move.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/~T	explorer.exe, 00000003.00000003.2475318909.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1427716514.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3854305033.0000000008796000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.aresrasherregard.cfd	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.specially-smou.xyz/f29s/	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.uqhi42.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.aresrasherregard.cfdReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ccloudserve.xyz/f29s/www.wqvn-environment.xyz	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ovt-jobs-lisitings00810.today	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ccloudserve.xyzReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv	explorer.exe, 00000003.00000003.2291743583.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082688545.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1423844898.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851084445.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2473820002.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.alembottling.netReferer:	explorer.exe, 00000003.00000003.2471241758.000000000C291000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290628021.000000000C285000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3859766500.000000000C28E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.com	explorer.exe, 00000003.00000002.3858527399.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1432619537.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2472878488.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290736750.000000000BDE7000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541673
Start date and time:	2024-10-25 01:15:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	AdobePDFViewer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@521/1@11/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 44 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: AdobePDFViewer.exe

Simulations

Behavior and APIs

Time	Type	Description
19:16:47	API Interceptor	7529855x Sleep call for process: explorer.exe modified
19:17:09	API Interceptor	6564125x Sleep call for process: chkdsk.exe modified

Process:	C:\Users\user\Desktop\AdobePDFViewer.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.8653408764770685
Encrypted:	false
SSDEEP:	3072:iXk0YIei2J1+l8f3XpTZe4+EIi9kG1mfcm8yLEUwZARsdDEfHIW5sDbaKn7:iXk0YIyglapTZP+EViGct4xZARsdQfHI
MD5:	B64BDC742557ED7B58A7471CBDDB3AE1
SHA1:	891CBC436821CD1BE8F8053A647918BBE4D3CD6D
SHA-256:	03D60B4E8D5956EB3D6DCD43F10B54838C4FA56BBFF05D27ABD4A17A8A6284B0
SHA-512:	4D6D316146B6C593EB40FBCB061DC34FEB9085206875F15149A4F39AFE574F0560FB70EF45014A351D7CD2E6ACEE859E6D671DA5048E6AE471B6F0F5B0F3C22D
Malicious:	false
Preview:	.m...K6EZ...>.....HS..cA?...K6EZXV47ZGH06GHPTPZKB7QJBK6EZX.47ZIW.8G.Y.q.J..p."Ee9SE;hSW)&? p8.bE$$b"Xe....Z5#-.;JBtTPZKB7Q.C..>..<...P..P....$..J....<.4...V..!3<..-.7QJBK6EZXV47ZGH0f.HP.Q[K/...BK6EZXV4.ZEI;7MHP.RZKB7QJBK6..YV4'ZGH.4GHP.PZ[B7QHBK3E[XV47ZBH16GHPTP.IB7SJBK6EZZVt.ZGX06WHPTPJKB'QJBK6EJXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGfDS?<PTPn.@7QZBK6.XXV$7ZGH06GHPTPZKB.QJ"K6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZKB7QJBK6EZXV47ZGH06GHPTPZK

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.176263951302326
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AdobePDFViewer.exe
File size:	1'295'083 bytes
MD5:	5513c53ff0ac4a880b5a35ceb8b7cb1c
SHA1:	7bc81330e32d49af2689f81152d2cd696c99c6be
SHA256:	1c8de42bff76a20cdaee2bed7629f8f0dfcf4ab5c7b5ee637d147f6f45311015
SHA512:	f40b441c78ef38bfcf051c3626cf98055d5e5dca9c3fd56dd5b441411dbdefac74d63627233fb1965a3fab4e1a30773f60fbf16eaf83b1a71afe7ed6cb0b9c39
SSDEEP:	12288:LLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QHCVvs1IyOft2m2L9ajYhHti8LIva8xi:/fmMv6Ckr7Mny5QHkzzcm2L9NJIvRbsT
TLSH:	5155CF83F1C110ADF8DB657739ABCB26E6E1290E0A03484393B03F61FF6D5825795769
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	953a5a92e9ccf429

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007F2784F7521Ch
jmp 00007F2784F68FEEh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F2784F6917Ah
cmp edi, eax
jc 00007F2784F6931Ah
cmp ecx, 00000100h
jc 00007F2784F69191h
cmp dword ptr [004A94E0h], 00000000h
je 00007F2784F69188h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F2784F6917Ah
pop esi
pop edi
pop ebp
jmp 00007F2784F695DAh
test edi, 00000003h
jne 00007F2784F69187h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F2784F6919Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F2784F6917Eh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F2784F6913Eh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x341c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x341c0	0x34200	f2558ee759ac87666d716c68f216fcf4	False	0.32235930005995206	data	5.1880092977109005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x994a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.997833953417257
RT_ICON	0xb5290	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.12387613864900035
RT_ICON	0xc5ab8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	Great Britain	0.16063170065167123
RT_ICON	0xcef60	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	Great Britain	0.18183918669131238
RT_ICON	0xd43e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.16196268304204062
RT_ICON	0xd8610	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.22562240663900415
RT_ICON	0xdabb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.25093808630394
RT_ICON	0xdbc60	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	Great Britain	0.36598360655737705
RT_ICON	0xdc5e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.4175531914893617
RT_MENU	0xdca50	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xdcaa0	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xdcba0	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xdd0d0	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xdd760	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xddba0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xde1a0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xde800	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xdeb88	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xdece0	0x84	data	English	Great Britain	0.7424242424242424
RT_GROUP_ICON	0xded68	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xded80	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xded98	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdedb0	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xdef50	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 01:17:03.165934086 CEST	49570	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:17:03.177738905 CEST	53	49570	1.1.1.1	192.168.2.9
Oct 25, 2024 01:17:22.947849989 CEST	52568	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:17:22.957523108 CEST	53	52568	1.1.1.1	192.168.2.9
Oct 25, 2024 01:17:42.901021004 CEST	53652	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:17:42.931011915 CEST	53	53652	1.1.1.1	192.168.2.9
Oct 25, 2024 01:18:03.709981918 CEST	49375	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:18:03.720187902 CEST	53	49375	1.1.1.1	192.168.2.9
Oct 25, 2024 01:18:24.586365938 CEST	54673	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:18:24.595675945 CEST	53	54673	1.1.1.1	192.168.2.9
Oct 25, 2024 01:18:45.602854967 CEST	49967	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:18:45.615976095 CEST	53	49967	1.1.1.1	192.168.2.9
Oct 25, 2024 01:19:06.373272896 CEST	59330	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:19:06.381565094 CEST	53	59330	1.1.1.1	192.168.2.9
Oct 25, 2024 01:19:27.619951010 CEST	49777	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:19:27.629487038 CEST	53	49777	1.1.1.1	192.168.2.9
Oct 25, 2024 01:19:48.110383034 CEST	64440	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:19:48.119647980 CEST	53	64440	1.1.1.1	192.168.2.9
Oct 25, 2024 01:20:30.588264942 CEST	57480	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:20:30.689184904 CEST	53	57480	1.1.1.1	192.168.2.9
Oct 25, 2024 01:20:50.838673115 CEST	55654	53	192.168.2.9	1.1.1.1
Oct 25, 2024 01:20:50.847687006 CEST	53	55654	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 01:17:03.165934086 CEST	192.168.2.9	1.1.1.1	0x54bd	Standard query (0)	www.lywjv-issue.xyz	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:17:22.947849989 CEST	192.168.2.9	1.1.1.1	0xb699	Standard query (0)	www.plqz-move.xyz	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:17:42.901021004 CEST	192.168.2.9	1.1.1.1	0x273f	Standard query (0)	www.rostnixon.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:18:03.709981918 CEST	192.168.2.9	1.1.1.1	0xcb28	Standard query (0)	www.vtyo-phone.xyz	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:18:24.586365938 CEST	192.168.2.9	1.1.1.1	0xc0be	Standard query (0)	www.ovt-jobs-lisitings00810.today	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:18:45.602854967 CEST	192.168.2.9	1.1.1.1	0x320e	Standard query (0)	www.specially-smou.xyz	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:19:06.373272896 CEST	192.168.2.9	1.1.1.1	0x48c9	Standard query (0)	www.aresrasherregard.cfd	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:19:27.619951010 CEST	192.168.2.9	1.1.1.1	0x2d43	Standard query (0)	www.uqhi42.xyz	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:19:48.110383034 CEST	192.168.2.9	1.1.1.1	0xeac9	Standard query (0)	www.kimosskrupulslacker.cfd	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:20:30.588264942 CEST	192.168.2.9	1.1.1.1	0xcc1e	Standard query (0)	www.alembottling.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:20:50.838673115 CEST	192.168.2.9	1.1.1.1	0xf97c	Standard query (0)	www.nit-dreeu.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 01:17:03.177738905 CEST	1.1.1.1	192.168.2.9	0x54bd	Name error (3)	www.lywjv-issue.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:17:22.957523108 CEST	1.1.1.1	192.168.2.9	0xb699	Name error (3)	www.plqz-move.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:17:42.931011915 CEST	1.1.1.1	192.168.2.9	0x273f	Name error (3)	www.rostnixon.net	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:18:03.720187902 CEST	1.1.1.1	192.168.2.9	0xcb28	Name error (3)	www.vtyo-phone.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:18:24.595675945 CEST	1.1.1.1	192.168.2.9	0xc0be	Name error (3)	www.ovt-jobs-lisitings00810.today	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:18:45.615976095 CEST	1.1.1.1	192.168.2.9	0x320e	Name error (3)	www.specially-smou.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:19:06.381565094 CEST	1.1.1.1	192.168.2.9	0x48c9	Name error (3)	www.aresrasherregard.cfd	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:19:27.629487038 CEST	1.1.1.1	192.168.2.9	0x2d43	Name error (3)	www.uqhi42.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:19:48.119647980 CEST	1.1.1.1	192.168.2.9	0xeac9	Name error (3)	www.kimosskrupulslacker.cfd	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:20:30.689184904 CEST	1.1.1.1	192.168.2.9	0xcc1e	Name error (3)	www.alembottling.net	none	none	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:20:50.847687006 CEST	1.1.1.1	192.168.2.9	0xf97c	Name error (3)	www.nit-dreeu.xyz	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	19:16:17
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\AdobePDFViewer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AdobePDFViewer.exe"
Imagebase:	0x400000
File size:	1'295'083 bytes
MD5 hash:	5513C53FF0AC4A880B5A35CEB8B7CB1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1417894838.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	19:16:19
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AdobePDFViewer.exe"
Imagebase:	0x4c0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1541468746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1541829256.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1541865907.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	19:16:20
Start date:	24/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff633410000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.3860609031.0000000010254000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	19:16:23
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\autochk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\autochk.exe"
Imagebase:	0x370000
File size:	863'232 bytes
MD5 hash:	FC398299F54290D5F35C69E865FD7CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	19:16:29
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\chkdsk.exe"
Imagebase:	0xd90000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3845717591.0000000005510000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3845229047.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3845654321.00000000054E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	19:16:33
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	8
Start time:	19:16:33
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true