Windows Analysis Report
(2).docx.exe

Overview

General Information

Sample name:	(2).docx.exe renamed because original name is a hash value
Original sample name:	11_21-2024_753e373_9-372-- -A1 (2).docx.exe
Analysis ID:	1560294
MD5:	8c01c51ef925e81212d6f39c098fe65f
SHA1:	94404d75e90260be4bdea4d3f76d1cab1deca5ff
SHA256:	f03d10d6d5be51c58642517465216d686f029cb1f85266939eed886f85e68dda
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Double Extension File Execution

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.2creativedesign.online/ud04/"], "decoy": ["oum7.pro", "ovonordisk.online", "akrzus.pro", "tendmtedcpsa.site", "mm.foo", "animevyhgsft29817.click", "digdxxb.info", "1130.vip", "uy-now-pay-later-74776.bond", "ybzert.online", "edcn.link", "rime-flow-bay.xyz", "nd777id.beauty", "otoyama.shop", "lranchomx.xyz", "unluoren.top", "uglesang-troms.net", "udulbet88.net", "raquewear.shop", "ijanarko.net", "iuxy.host", "itaxia.dev", "hisewntbqg.makeup", "talianfood.store", "22gxx.app", "tandkite.fun", "rovideoeditor.shop", "ires-86307.bond", "elitjatarjoukset.click", "rofilern.net", "uycarpaylater-02-t1e-01.today", "futurum.xyz", "inance15.site", "alance-ton-budget.net", "tpuniplay.shop", "dlpli.xyz", "riteon.online", "rippyshaker.shop", "rn10.top", "linko1win.icu", "ugeniolopez.art", "raphic-design-degree-68380.bond", "narchists.info", "uy-now-pay-later-25573.bond", "gzvmt.info", "df.clinic", "onesome.store", "imba-168.net", "ayef.xyz", "64axyozkgl.top", "dult-diapers-53774.bond", "ec.baby", "el-radu-easy4y.one", "asik-eye-surgery-63293.bond", "p-inbox4.click", "0417.one", "ualitystore.shop", "partments-for-rent-61932.bond", "enobscotlobster.online", "fhou.link", "eo56a3oouu.top", "cweb.cyou", "hoe-organizer-za.today", "p806.top"]}

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: (2).docx.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: (2).docx.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: cmstp.pdbGCTL source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00316CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00316CA9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_003160DD
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_003163F9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0031EB60
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031F56F FindFirstFileW,FindClose,	0_2_0031F56F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0031F5FA
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00321B2F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00321C8A
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00321F94

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop ebx

1_2_00407B28

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.2creativedesign.online/ud04/

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.2creativedesign.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.tandkite.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ijanarko.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ualitystore.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.onesome.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.riteon.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.p-inbox4.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.elitjatarjoukset.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ovonordisk.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.narchists.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.gzvmt.info replaycode: Name error (3)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: www.2creativedesign.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.tandkite.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ijanarko.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ualitystore.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.onesome.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.riteon.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.p-inbox4.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.elitjatarjoukset.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ovonordisk.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.narchists.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.gzvmt.info replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00324EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00324EB5

Source: global traffic	DNS traffic detected: DNS query: www.elitjatarjoukset.click
Source: global traffic	DNS traffic detected: DNS query: www.gzvmt.info
Source: global traffic	DNS traffic detected: DNS query: www.riteon.online
Source: global traffic	DNS traffic detected: DNS query: www.ovonordisk.online
Source: global traffic	DNS traffic detected: DNS query: www.narchists.info
Source: global traffic	DNS traffic detected: DNS query: www.ijanarko.net
Source: global traffic	DNS traffic detected: DNS query: www.2creativedesign.online
Source: global traffic	DNS traffic detected: DNS query: www.tandkite.fun
Source: global traffic	DNS traffic detected: DNS query: www.ualitystore.shop
Source: global traffic	DNS traffic detected: DNS query: www.onesome.store
Source: global traffic	DNS traffic detected: DNS query: www.p-inbox4.click

Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000002.00000000.1720385480.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1718080624.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4162452584.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online/ud04/www.tandkite.fun
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.onlineReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.df.clinic
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.df.clinic/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.df.clinic/ud04/www.tendmtedcpsa.site
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.df.clinicReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elitjatarjoukset.click
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elitjatarjoukset.click/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elitjatarjoukset.click/ud04/www.gzvmt.info
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elitjatarjoukset.clickReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gzvmt.info
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gzvmt.info/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gzvmt.info/ud04/www.riteon.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gzvmt.infoReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net/ud04/www.2creativedesign.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.netReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inance15.site
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inance15.site/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inance15.site/ud04/www.df.clinic
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inance15.siteReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lranchomx.xyz
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lranchomx.xyz/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lranchomx.xyz/ud04/www.inance15.site
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lranchomx.xyzReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.narchists.info
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.narchists.info/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.narchists.info/ud04/www.ijanarko.net
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.narchists.infoReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onesome.store
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onesome.store/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onesome.store/ud04/www.p-inbox4.click
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onesome.storeReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online/ud04/www.narchists.info
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.onlineReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p-inbox4.click
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p-inbox4.click/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p-inbox4.click/ud04/www.lranchomx.xyz
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p-inbox4.clickReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riteon.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riteon.online/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riteon.online/ud04/www.ovonordisk.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riteon.onlineReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tandkite.fun
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tandkite.fun/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tandkite.fun/ud04/www.ualitystore.shop
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tandkite.funReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tendmtedcpsa.site
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tendmtedcpsa.site/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tendmtedcpsa.siteReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ualitystore.shop
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ualitystore.shop/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ualitystore.shop/ud04/www.ybzert.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ualitystore.shopReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online/ud04/www.onesome.store
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.onlineReferer:
Source: explorer.exe, 00000002.00000002.4167170759.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000002.4160238706.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000002.00000002.4160238706.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000002.00000000.1715123564.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4158924998.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1716063740.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1719453857.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1719453857.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.4167170759.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00326B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00326B0C

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00326D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00326D07

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_00326B0C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00312B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00312B37

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0033F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0033F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.4170679439.000000000E64E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: (2).docx.exe PID: 7308, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: This is a third-party compiled AutoIt script.	0_2_002D3D19
Source: (2).docx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: (2).docx.exe, 00000000.00000000.1686077283.000000000037E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_52f403a0-3
Source: (2).docx.exe, 00000000.00000000.1686077283.000000000037E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 0SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_df831d4d-e
Source: (2).docx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_60488e8c-5
Source: (2).docx.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_aa3508c2-d

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A340 NtCreateFile,	1_2_0041A340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A3F0 NtReadFile,	1_2_0041A3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A470 NtClose,	1_2_0041A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A520 NtAllocateVirtualMemory,	1_2_0041A520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A3EB NtReadFile,	1_2_0041A3EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A392 NtCreateFile,NtReadFile,	1_2_0041A392
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A51C NtAllocateVirtualMemory,	1_2_0041A51C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472B60 NtClose,LdrInitializeThunk,	1_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AD0 NtReadFile,LdrInitializeThunk,	1_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F30 NtCreateSection,LdrInitializeThunk,	1_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FE0 NtCreateFile,LdrInitializeThunk,	1_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F90 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FB0 NtResumeThread,LdrInitializeThunk,	1_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472E80 NtReadVirtualMemory,LdrInitializeThunk,	1_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D10 NtMapViewOfSection,LdrInitializeThunk,	1_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D30 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DD0 NtDelayExecution,LdrInitializeThunk,	1_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CA0 NtQueryInformationToken,LdrInitializeThunk,	1_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03474340 NtSetContextThread,	1_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03474650 NtSuspendThread,	1_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BE0 NtQueryValueKey,	1_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472B80 NtQueryInformationFile,	1_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BA0 NtEnumerateValueKey,	1_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AF0 NtWriteFile,	1_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AB0 NtWaitForSingleObject,	1_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F60 NtCreateProcessEx,	1_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FA0 NtQuerySection,	1_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472E30 NtWriteVirtualMemory,	1_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472EE0 NtQueueApcThread,	1_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D00 NtSetInformationFile,	1_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DB0 NtEnumerateKey,	1_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C60 NtCreateKey,	1_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C70 NtFreeVirtualMemory,	1_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C00 NtQueryInformationProcess,	1_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CC0 NtQueryVirtualMemory,	1_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CF0 NtOpenProcess,	1_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473010 NtOpenDirectoryObject,	1_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473090 NtSetValueKey,	1_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034735C0 NtCreateMutant,	1_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034739B0 NtGetContextThread,	1_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473D70 NtOpenThread,	1_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473D10 NtOpenProcessToken,	1_2_03473D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	1_2_031CA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CA042 NtQueryInformationProcess,	1_2_031CA042
Source: C:\Windows\explorer.exe	Code function: 2_2_0E636232 NtCreateFile,	2_2_0E636232
Source: C:\Windows\explorer.exe	Code function: 2_2_0E637E12 NtProtectVirtualMemory,	2_2_0E637E12
Source: C:\Windows\explorer.exe	Code function: 2_2_0E637E0A NtProtectVirtualMemory,	2_2_0E637E0A

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00316606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00316606

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0030ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0030ACC5

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_003179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003179D3

Detected potential crypto function

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FB043	0_2_002FB043
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002E3200	0_2_002E3200
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002E3B70	0_2_002E3B70
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030410F	0_2_0030410F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F02A4	0_2_002F02A4
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030038E	0_2_0030038E
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002DE3E3	0_2_002DE3E3
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030467F	0_2_0030467F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F06D9	0_2_002F06D9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0033AACE	0_2_0033AACE
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00304BEF	0_2_00304BEF
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002ECC7F	0_2_002ECC7F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FCCC1	0_2_002FCCC1
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D6F07	0_2_002D6F07
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002DAF50	0_2_002DAF50
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EB11F	0_2_002EB11F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003331BC	0_2_003331BC
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FD1B9	0_2_002FD1B9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F123A	0_2_002F123A
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030724D	0_2_0030724D
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D93F0	0_2_002D93F0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003113CA	0_2_003113CA
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EF563	0_2_002EF563
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D96C0	0_2_002D96C0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031B6CC	0_2_0031B6CC
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D77B0	0_2_002D77B0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0033F7FF	0_2_0033F7FF
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003079C9	0_2_003079C9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EFA57	0_2_002EFA57
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D9B60	0_2_002D9B60
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D7D19	0_2_002D7D19
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EFE6F	0_2_002EFE6F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F9ED0	0_2_002F9ED0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D7FA3	0_2_002D7FA3
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_012597C8	0_2_012597C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401026	1_2_00401026
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041E1B7	1_2_0041E1B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041DA08	1_2_0041DA08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409E5B	1_2_00409E5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409E60	1_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA352	1_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035003E6	1_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C02C0	1_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C8158	1_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430100	1_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F81CC	1_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F41A2	1_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035001AA	1_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464750	1_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343C7C0	1_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345C6E0	1_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03500591	1_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F2446	1_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4420	1_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EE4F6	1_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FAB40	1_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F6BD7	1_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350A9A6	1_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344A840	1_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03442840	1_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E8F0	1_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034268B8	1_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4F40	1_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03482F28	1_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460F30	1_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E2F30	1_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432FC8	1_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BEFA0	1_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440E59	1_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FEE26	1_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FEEDB	1_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452E90	1_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FCE93	1_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344AD00	1_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DCD1F	1_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343ADE0	1_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03458DBF	1_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440C00	1_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430CF2	1_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0CB5	1_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342D34C	1_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F132D	1_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0348739A	1_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345B2C0	1_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E12ED	1_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345D2F0	1_2_0345D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034452A0	1_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347516C	1_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342F172	1_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350B16B	1_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344B1B0	1_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EF0CC	1_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034470C0	1_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F70E9	1_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF0E0	1_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF7B0	1_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03485630	1_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F16CC	1_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7571	1_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035095C3	1_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DD5B0	1_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03431460	1_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF43F	1_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFB76	1_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B5BF0	1_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347DBF9	1_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345FB80	1_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFA49	1_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7A46	1_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B3A6C	1_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EDAC6	1_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DDAAC	1_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03485AA0	1_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E1AA3	1_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03449950	1_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345B950	1_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D5910	1_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AD800	1_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034438E0	1_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFF09	1_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03403FD2	1_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03403FD5	1_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03441F92	1_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFFB1	1_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03449EB0	1_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03443D40	1_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F1D5A	1_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7D73	1_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345FDC0	1_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B9C32	1_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFCF2	1_2_034FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CA036	1_2_031CA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CB232	1_2_031CB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C1082	1_2_031C1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CE5CD	1_2_031CE5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C5B30	1_2_031C5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C5B32	1_2_031C5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C8912	1_2_031C8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C2D02	1_2_031C2D02
Source: C:\Windows\explorer.exe	Code function: 2_2_0E636232	2_2_0E636232
Source: C:\Windows\explorer.exe	Code function: 2_2_0E635036	2_2_0E635036
Source: C:\Windows\explorer.exe	Code function: 2_2_0E62C082	2_2_0E62C082
Source: C:\Windows\explorer.exe	Code function: 2_2_0E630B32	2_2_0E630B32
Source: C:\Windows\explorer.exe	Code function: 2_2_0E630B30	2_2_0E630B30
Source: C:\Windows\explorer.exe	Code function: 2_2_0E62DD02	2_2_0E62DD02
Source: C:\Windows\explorer.exe	Code function: 2_2_0E633912	2_2_0E633912
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6395CD	2_2_0E6395CD
Source: C:\Windows\explorer.exe	Code function: 2_2_10AB5082	2_2_10AB5082
Source: C:\Windows\explorer.exe	Code function: 2_2_10ABE036	2_2_10ABE036
Source: C:\Windows\explorer.exe	Code function: 2_2_10AC25CD	2_2_10AC25CD
Source: C:\Windows\explorer.exe	Code function: 2_2_10AB6D02	2_2_10AB6D02
Source: C:\Windows\explorer.exe	Code function: 2_2_10ABC912	2_2_10ABC912
Source: C:\Windows\explorer.exe	Code function: 2_2_10ABF232	2_2_10ABF232
Source: C:\Windows\explorer.exe	Code function: 2_2_10AB9B32	2_2_10AB9B32
Source: C:\Windows\explorer.exe	Code function: 2_2_10AB9B30	2_2_10AB9B30

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 103 times
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: String function: 002F6AC0 appears 42 times
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: String function: 002FF8A0 appears 35 times
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: String function: 002EEC2F appears 68 times

Sample file is different than original file name gathered from version info

Source: (2).docx.exe, 00000000.00000003.1711064108.0000000003C2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs (2).docx.exe
Source: (2).docx.exe, 00000000.00000003.1706891600.0000000003A83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs (2).docx.exe

Uses 32bit PE files

Source: (2).docx.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Yara signature match

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.4170679439.000000000E64E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: (2).docx.exe PID: 7308, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@108/3@11/0

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0031CE7A GetLastError,FormatMessageW,

0_2_0031CE7A

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0030AB84
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0030B134

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0031E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0031E1FD

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00316532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00316532

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0032C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0032C18C

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002D406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002D406B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03

Source: C:\Users\user\Desktop\(2).docx.exe

File created: C:\Users\user\AppData\Local\Temp\aut89B9.tmp

Jump to behavior

Source: (2).docx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\(2).docx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\(2).docx.exe "C:\Users\user\Desktop\(2).docx.exe"
Source: C:\Users\user\Desktop\(2).docx.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\(2).docx.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: (2).docx.exe

Static file information: File size 1310208 > 1048576

Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: (2).docx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmstp.pdbGCTL source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp

Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002EE01E LoadLibraryA,GetProcAddress,

0_2_002EE01E

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FC09E push esi; ret	0_2_002FC0A0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FC187 push edi; ret	0_2_002FC189
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0033C8BC push esi; ret	0_2_0033C8BE
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F6B05 push ecx; ret	0_2_002F6B18
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031B2B1 push FFFFFF8Bh; iretd	0_2_0031B2B3
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FBDAA push edi; ret	0_2_002FBDAC
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FBEC3 push esi; ret	0_2_002FBEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404905 push eax; iretd	1_2_0040490C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417AD0 push ecx; ret	1_2_00417AD1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416431 push 00000063h; ret	1_2_00416438
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D4E2 push eax; ret	1_2_0041D4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D4EB push eax; ret	1_2_0041D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409C84 push esi; ret	1_2_00409C85
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D495 push eax; ret	1_2_0041D4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D54C push eax; ret	1_2_0041D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041973C push esi; retf	1_2_0041973D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340225F pushad ; ret	1_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034027FA pushad ; ret	1_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD push ecx; mov dword ptr [esp], ecx	1_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340283D push eax; iretd	1_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340135E push eax; iretd	1_2_03401369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CEB1E push esp; retn 0000h	1_2_031CEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CEB02 push esp; retn 0000h	1_2_031CEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CE9B5 push esp; retn 0000h	1_2_031CEAE7
Source: C:\Windows\explorer.exe	Code function: 2_2_0E639B02 push esp; retn 0000h	2_2_0E639B03
Source: C:\Windows\explorer.exe	Code function: 2_2_0E639B1E push esp; retn 0000h	2_2_0E639B1F
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6399B5 push esp; retn 0000h	2_2_0E639AE7
Source: C:\Windows\explorer.exe	Code function: 2_2_10AC29B5 push esp; retn 0000h	2_2_10AC2AE7
Source: C:\Windows\explorer.exe	Code function: 2_2_10AC2B02 push esp; retn 0000h	2_2_10AC2B03
Source: C:\Windows\explorer.exe	Code function: 2_2_10AC2B1E push esp; retn 0000h	2_2_10AC2B1F

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.exe

Static PE information: (2).docx.exe

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00338111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00338111
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002EEB42

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002F123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002F123A

Source: C:\Users\user\Desktop\(2).docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\(2).docx.exe	API/Special instruction interceptor: Address: 12593EC
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 26E9904 second address: 26E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 26E9B7E second address: 26E9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00409AB0 rdtsc

1_2_00409AB0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1402	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8546	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 8100	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 1873	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\(2).docx.exe

Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\(2).docx.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\(2).docx.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7748	Thread sleep count: 1402 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7748	Thread sleep time: -2804000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7748	Thread sleep count: 8546 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7748	Thread sleep time: -17092000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516	Thread sleep count: 8100 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516	Thread sleep time: -16200000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516	Thread sleep count: 1873 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516	Thread sleep time: -3746000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00316CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00316CA9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_003160DD
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_003163F9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0031EB60
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031F56F FindFirstFileW,FindClose,	0_2_0031F56F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0031F5FA
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00321B2F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00321C8A
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00321F94

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002EDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002EDDC0

Source: explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.1723443132.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D.exe??f
Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: explorer.exe, 00000002.00000002.4164107496.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000002.4164107496.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.1717133268.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000002.4163062009.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00409AB0 rdtsc

1_2_00409AB0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0040ACF0 LdrLoadDll,

1_2_0040ACF0

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00326AAF BlockInput,

0_2_00326AAF

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002D3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002D3D19

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00303920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00303920

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002EE01E LoadLibraryA,GetProcAddress,

0_2_002EE01E

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_01258048 mov eax, dword ptr fs:[00000030h]	0_2_01258048
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_01259658 mov eax, dword ptr fs:[00000030h]	0_2_01259658
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_012596B8 mov eax, dword ptr fs:[00000030h]	0_2_012596B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov ecx, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA352 mov eax, dword ptr fs:[00000030h]	1_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D8350 mov ecx, dword ptr fs:[00000030h]	1_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350634F mov eax, dword ptr fs:[00000030h]	1_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D437C mov eax, dword ptr fs:[00000030h]	1_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C310 mov ecx, dword ptr fs:[00000030h]	1_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450310 mov ecx, dword ptr fs:[00000030h]	1_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov ecx, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC3CD mov eax, dword ptr fs:[00000030h]	1_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B63C0 mov eax, dword ptr fs:[00000030h]	1_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]	1_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]	1_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034663FF mov eax, dword ptr fs:[00000030h]	1_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]	1_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]	1_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B8243 mov eax, dword ptr fs:[00000030h]	1_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B8243 mov ecx, dword ptr fs:[00000030h]	1_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350625D mov eax, dword ptr fs:[00000030h]	1_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A250 mov eax, dword ptr fs:[00000030h]	1_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436259 mov eax, dword ptr fs:[00000030h]	1_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]	1_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]	1_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342826B mov eax, dword ptr fs:[00000030h]	1_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342823B mov eax, dword ptr fs:[00000030h]	1_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035062D6 mov eax, dword ptr fs:[00000030h]	1_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]	1_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]	1_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]	1_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]	1_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov ecx, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C156 mov eax, dword ptr fs:[00000030h]	1_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C8158 mov eax, dword ptr fs:[00000030h]	1_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]	1_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]	1_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]	1_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]	1_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov ecx, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F0115 mov eax, dword ptr fs:[00000030h]	1_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460124 mov eax, dword ptr fs:[00000030h]	1_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]	1_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]	1_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035061E5 mov eax, dword ptr fs:[00000030h]	1_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034601F8 mov eax, dword ptr fs:[00000030h]	1_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03470185 mov eax, dword ptr fs:[00000030h]	1_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]	1_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]	1_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]	1_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]	1_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432050 mov eax, dword ptr fs:[00000030h]	1_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6050 mov eax, dword ptr fs:[00000030h]	1_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345C073 mov eax, dword ptr fs:[00000030h]	1_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4000 mov ecx, dword ptr fs:[00000030h]	1_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A020 mov eax, dword ptr fs:[00000030h]	1_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C020 mov eax, dword ptr fs:[00000030h]	1_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6030 mov eax, dword ptr fs:[00000030h]	1_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B20DE mov eax, dword ptr fs:[00000030h]	1_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034380E9 mov eax, dword ptr fs:[00000030h]	1_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B60E0 mov eax, dword ptr fs:[00000030h]	1_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034720F0 mov ecx, dword ptr fs:[00000030h]	1_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343208A mov eax, dword ptr fs:[00000030h]	1_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034280A0 mov eax, dword ptr fs:[00000030h]	1_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C80A8 mov eax, dword ptr fs:[00000030h]	1_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F60B8 mov eax, dword ptr fs:[00000030h]	1_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov esi, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430750 mov eax, dword ptr fs:[00000030h]	1_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE75D mov eax, dword ptr fs:[00000030h]	1_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]	1_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]	1_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4755 mov eax, dword ptr fs:[00000030h]	1_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438770 mov eax, dword ptr fs:[00000030h]	1_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C700 mov eax, dword ptr fs:[00000030h]	1_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430710 mov eax, dword ptr fs:[00000030h]	1_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460710 mov eax, dword ptr fs:[00000030h]	1_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]	1_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]	1_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov ecx, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AC730 mov eax, dword ptr fs:[00000030h]	1_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B07C3 mov eax, dword ptr fs:[00000030h]	1_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]	1_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]	1_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D678E mov eax, dword ptr fs:[00000030h]	1_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034307AF mov eax, dword ptr fs:[00000030h]	1_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E47A0 mov eax, dword ptr fs:[00000030h]	1_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344C640 mov eax, dword ptr fs:[00000030h]	1_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]	1_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]	1_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]	1_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]	1_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03462674 mov eax, dword ptr fs:[00000030h]	1_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE609 mov eax, dword ptr fs:[00000030h]	1_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472619 mov eax, dword ptr fs:[00000030h]	1_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E627 mov eax, dword ptr fs:[00000030h]	1_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03466620 mov eax, dword ptr fs:[00000030h]	1_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03468620 mov eax, dword ptr fs:[00000030h]	1_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343262C mov eax, dword ptr fs:[00000030h]	1_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]	1_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]	1_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]	1_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]	1_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034666B0 mov eax, dword ptr fs:[00000030h]	1_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]	1_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]	1_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6500 mov eax, dword ptr fs:[00000030h]	1_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]	1_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]	1_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034365D0 mov eax, dword ptr fs:[00000030h]	1_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034325E0 mov eax, dword ptr fs:[00000030h]	1_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]	1_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]	1_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432582 mov eax, dword ptr fs:[00000030h]	1_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432582 mov ecx, dword ptr fs:[00000030h]	1_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464588 mov eax, dword ptr fs:[00000030h]	1_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E59C mov eax, dword ptr fs:[00000030h]	1_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]	1_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]	1_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA456 mov eax, dword ptr fs:[00000030h]	1_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342645D mov eax, dword ptr fs:[00000030h]	1_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345245A mov eax, dword ptr fs:[00000030h]	1_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC460 mov ecx, dword ptr fs:[00000030h]	1_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C427 mov eax, dword ptr fs:[00000030h]	1_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034304E5 mov ecx, dword ptr fs:[00000030h]	1_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA49A mov eax, dword ptr fs:[00000030h]	1_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034364AB mov eax, dword ptr fs:[00000030h]	1_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034644B0 mov ecx, dword ptr fs:[00000030h]	1_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]	1_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]	1_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]	1_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]	1_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FAB40 mov eax, dword ptr fs:[00000030h]	1_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D8B42 mov eax, dword ptr fs:[00000030h]	1_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428B50 mov eax, dword ptr fs:[00000030h]	1_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEB50 mov eax, dword ptr fs:[00000030h]	1_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342CB7E mov eax, dword ptr fs:[00000030h]	1_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504B00 mov eax, dword ptr fs:[00000030h]	1_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]	1_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]	1_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]	1_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]	1_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EBFC mov eax, dword ptr fs:[00000030h]	1_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]	1_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]	1_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]	1_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]	1_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEA60 mov eax, dword ptr fs:[00000030h]	1_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]	1_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]	1_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BCA11 mov eax, dword ptr fs:[00000030h]	1_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA24 mov eax, dword ptr fs:[00000030h]	1_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EA2E mov eax, dword ptr fs:[00000030h]	1_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]	1_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]	1_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430AD0 mov eax, dword ptr fs:[00000030h]	1_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]	1_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]	1_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]	1_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]	1_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504A80 mov eax, dword ptr fs:[00000030h]	1_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03468A90 mov edx, dword ptr fs:[00000030h]	1_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]	1_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]	1_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486AA4 mov eax, dword ptr fs:[00000030h]	1_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0946 mov eax, dword ptr fs:[00000030h]	1_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504940 mov eax, dword ptr fs:[00000030h]	1_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov edx, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]	1_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]	1_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC97C mov eax, dword ptr fs:[00000030h]	1_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]	1_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]	1_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC912 mov eax, dword ptr fs:[00000030h]	1_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]	1_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]	1_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B892A mov eax, dword ptr fs:[00000030h]	1_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C892B mov eax, dword ptr fs:[00000030h]	1_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C69C0 mov eax, dword ptr fs:[00000030h]	1_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034649D0 mov eax, dword ptr fs:[00000030h]	1_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]	1_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]	1_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]	1_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]	1_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov esi, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03442840 mov ecx, dword ptr fs:[00000030h]	1_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460854 mov eax, dword ptr fs:[00000030h]	1_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]	1_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]	1_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]	1_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]	1_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]	1_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]	1_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC810 mov eax, dword ptr fs:[00000030h]	1_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov ecx, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A830 mov eax, dword ptr fs:[00000030h]	1_2_0346A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]	1_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]	1_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E8C0 mov eax, dword ptr fs:[00000030h]	1_2_0345E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035008C0 mov eax, dword ptr fs:[00000030h]	1_2_035008C0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0030A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0030A66C

Enables debug privileges

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_002F81AC
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F8189 SetUnhandledExceptionFilter,		0_2_002F8189

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 2580			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 2580			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 370000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\(2).docx.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 9C1008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0030B106 LogonUserW,

0_2_0030B106

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002D3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002D3D19

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0031411C SendInput,keybd_event,

0_2_0031411C

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_003174BB mouse_event,

0_2_003174BB

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\(2).docx.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_0030A66C

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_003171FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003171FA

Source: (2).docx.exe, explorer.exe, 00000002.00000002.4163164050.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159983624.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: (2).docx.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: explorer.exe, 00000002.00000000.1715123564.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002F65C4 cpuid

0_2_002F65C4

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0032091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0032091D

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0034B340 GetUserNameW,

0_2_0034B340

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00301E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00301E8E

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002EDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002EDDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: (2).docx.exe	Binary or memory string: WIN_81
Source: (2).docx.exe	Binary or memory string: WIN_XP
Source: (2).docx.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: (2).docx.exe	Binary or memory string: WIN_XPe
Source: (2).docx.exe	Binary or memory string: WIN_VISTA
Source: (2).docx.exe	Binary or memory string: WIN_7
Source: (2).docx.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00328C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00328C4F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0032923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0032923B

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
www.ualitystore.shop	unknown	unknown
www.ovonordisk.online	unknown	unknown
www.onesome.store	unknown	unknown
www.ijanarko.net	unknown	unknown
www.elitjatarjoukset.click	unknown	unknown
www.riteon.online	unknown	unknown
www.gzvmt.info	unknown	unknown
www.narchists.info	unknown	unknown
www.p-inbox4.click	unknown	unknown
www.2creativedesign.online	unknown	unknown
www.tandkite.fun	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.2creativedesign.online/ud04/	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: (2).docx.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: (2).docx.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: cmstp.pdbGCTL source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00316CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00316CA9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_003160DD
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_003163F9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0031EB60
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031F56F FindFirstFileW,FindClose,	0_2_0031F56F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0031F5FA
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00321B2F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00321C8A
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00321F94

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop ebx

1_2_00407B28

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.2creativedesign.online/ud04/

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.2creativedesign.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.tandkite.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ijanarko.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ualitystore.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.onesome.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.riteon.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.p-inbox4.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.elitjatarjoukset.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ovonordisk.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.narchists.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.gzvmt.info replaycode: Name error (3)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: www.2creativedesign.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.tandkite.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ijanarko.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ualitystore.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.onesome.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.riteon.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.p-inbox4.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.elitjatarjoukset.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ovonordisk.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.narchists.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.gzvmt.info replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00324EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00324EB5

Source: global traffic	DNS traffic detected: DNS query: www.elitjatarjoukset.click
Source: global traffic	DNS traffic detected: DNS query: www.gzvmt.info
Source: global traffic	DNS traffic detected: DNS query: www.riteon.online
Source: global traffic	DNS traffic detected: DNS query: www.ovonordisk.online
Source: global traffic	DNS traffic detected: DNS query: www.narchists.info
Source: global traffic	DNS traffic detected: DNS query: www.ijanarko.net
Source: global traffic	DNS traffic detected: DNS query: www.2creativedesign.online
Source: global traffic	DNS traffic detected: DNS query: www.tandkite.fun
Source: global traffic	DNS traffic detected: DNS query: www.ualitystore.shop
Source: global traffic	DNS traffic detected: DNS query: www.onesome.store
Source: global traffic	DNS traffic detected: DNS query: www.p-inbox4.click

Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000002.00000000.1720385480.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1718080624.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4162452584.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online/ud04/www.tandkite.fun
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.onlineReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.df.clinic
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.df.clinic/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.df.clinic/ud04/www.tendmtedcpsa.site
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.df.clinicReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elitjatarjoukset.click
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elitjatarjoukset.click/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elitjatarjoukset.click/ud04/www.gzvmt.info
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elitjatarjoukset.clickReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gzvmt.info
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gzvmt.info/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gzvmt.info/ud04/www.riteon.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gzvmt.infoReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net/ud04/www.2creativedesign.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.netReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inance15.site
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inance15.site/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inance15.site/ud04/www.df.clinic
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inance15.siteReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lranchomx.xyz
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lranchomx.xyz/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lranchomx.xyz/ud04/www.inance15.site
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lranchomx.xyzReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.narchists.info
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.narchists.info/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.narchists.info/ud04/www.ijanarko.net
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.narchists.infoReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onesome.store
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onesome.store/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onesome.store/ud04/www.p-inbox4.click
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onesome.storeReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online/ud04/www.narchists.info
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.onlineReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p-inbox4.click
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p-inbox4.click/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p-inbox4.click/ud04/www.lranchomx.xyz
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.p-inbox4.clickReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riteon.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riteon.online/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riteon.online/ud04/www.ovonordisk.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riteon.onlineReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tandkite.fun
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tandkite.fun/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tandkite.fun/ud04/www.ualitystore.shop
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tandkite.funReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tendmtedcpsa.site
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tendmtedcpsa.site/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tendmtedcpsa.siteReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ualitystore.shop
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ualitystore.shop/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ualitystore.shop/ud04/www.ybzert.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ualitystore.shopReferer:
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online/ud04/
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online/ud04/www.onesome.store
Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.onlineReferer:
Source: explorer.exe, 00000002.00000002.4167170759.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000002.4160238706.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000002.00000002.4160238706.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000002.00000000.1715123564.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4158924998.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1716063740.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1719453857.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1719453857.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.4167170759.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_00326B0C

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00326D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00326D07

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_00326B0C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_00312B37

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_0033F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.4170679439.000000000E64E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: (2).docx.exe PID: 7308, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: This is a third-party compiled AutoIt script.	0_2_002D3D19
Source: (2).docx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: (2).docx.exe, 00000000.00000000.1686077283.000000000037E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_52f403a0-3
Source: (2).docx.exe, 00000000.00000000.1686077283.000000000037E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 0SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_df831d4d-e
Source: (2).docx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_60488e8c-5
Source: (2).docx.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_aa3508c2-d

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A340 NtCreateFile,	1_2_0041A340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A3F0 NtReadFile,	1_2_0041A3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A470 NtClose,	1_2_0041A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A520 NtAllocateVirtualMemory,	1_2_0041A520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A3EB NtReadFile,	1_2_0041A3EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A392 NtCreateFile,NtReadFile,	1_2_0041A392
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A51C NtAllocateVirtualMemory,	1_2_0041A51C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472B60 NtClose,LdrInitializeThunk,	1_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AD0 NtReadFile,LdrInitializeThunk,	1_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F30 NtCreateSection,LdrInitializeThunk,	1_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FE0 NtCreateFile,LdrInitializeThunk,	1_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F90 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FB0 NtResumeThread,LdrInitializeThunk,	1_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472E80 NtReadVirtualMemory,LdrInitializeThunk,	1_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D10 NtMapViewOfSection,LdrInitializeThunk,	1_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D30 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DD0 NtDelayExecution,LdrInitializeThunk,	1_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CA0 NtQueryInformationToken,LdrInitializeThunk,	1_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03474340 NtSetContextThread,	1_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03474650 NtSuspendThread,	1_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BE0 NtQueryValueKey,	1_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472B80 NtQueryInformationFile,	1_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BA0 NtEnumerateValueKey,	1_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AF0 NtWriteFile,	1_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AB0 NtWaitForSingleObject,	1_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F60 NtCreateProcessEx,	1_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FA0 NtQuerySection,	1_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472E30 NtWriteVirtualMemory,	1_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472EE0 NtQueueApcThread,	1_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D00 NtSetInformationFile,	1_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DB0 NtEnumerateKey,	1_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C60 NtCreateKey,	1_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C70 NtFreeVirtualMemory,	1_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C00 NtQueryInformationProcess,	1_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CC0 NtQueryVirtualMemory,	1_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CF0 NtOpenProcess,	1_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473010 NtOpenDirectoryObject,	1_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473090 NtSetValueKey,	1_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034735C0 NtCreateMutant,	1_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034739B0 NtGetContextThread,	1_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473D70 NtOpenThread,	1_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473D10 NtOpenProcessToken,	1_2_03473D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	1_2_031CA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CA042 NtQueryInformationProcess,	1_2_031CA042
Source: C:\Windows\explorer.exe	Code function: 2_2_0E636232 NtCreateFile,	2_2_0E636232
Source: C:\Windows\explorer.exe	Code function: 2_2_0E637E12 NtProtectVirtualMemory,	2_2_0E637E12
Source: C:\Windows\explorer.exe	Code function: 2_2_0E637E0A NtProtectVirtualMemory,	2_2_0E637E0A

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00316606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00316606

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_0030ACC5

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_003179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003179D3

Detected potential crypto function

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FB043	0_2_002FB043
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002E3200	0_2_002E3200
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002E3B70	0_2_002E3B70
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030410F	0_2_0030410F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F02A4	0_2_002F02A4
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030038E	0_2_0030038E
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002DE3E3	0_2_002DE3E3
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030467F	0_2_0030467F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F06D9	0_2_002F06D9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0033AACE	0_2_0033AACE
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00304BEF	0_2_00304BEF
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002ECC7F	0_2_002ECC7F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FCCC1	0_2_002FCCC1
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D6F07	0_2_002D6F07
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002DAF50	0_2_002DAF50
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EB11F	0_2_002EB11F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003331BC	0_2_003331BC
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FD1B9	0_2_002FD1B9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F123A	0_2_002F123A
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030724D	0_2_0030724D
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D93F0	0_2_002D93F0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003113CA	0_2_003113CA
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EF563	0_2_002EF563
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D96C0	0_2_002D96C0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031B6CC	0_2_0031B6CC
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D77B0	0_2_002D77B0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0033F7FF	0_2_0033F7FF
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003079C9	0_2_003079C9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EFA57	0_2_002EFA57
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D9B60	0_2_002D9B60
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D7D19	0_2_002D7D19
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EFE6F	0_2_002EFE6F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F9ED0	0_2_002F9ED0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002D7FA3	0_2_002D7FA3
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_012597C8	0_2_012597C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401026	1_2_00401026
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041E1B7	1_2_0041E1B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041DA08	1_2_0041DA08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409E5B	1_2_00409E5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409E60	1_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA352	1_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035003E6	1_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C02C0	1_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C8158	1_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430100	1_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F81CC	1_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F41A2	1_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035001AA	1_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464750	1_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343C7C0	1_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345C6E0	1_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03500591	1_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F2446	1_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4420	1_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EE4F6	1_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FAB40	1_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F6BD7	1_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350A9A6	1_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344A840	1_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03442840	1_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E8F0	1_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034268B8	1_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4F40	1_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03482F28	1_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460F30	1_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E2F30	1_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432FC8	1_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BEFA0	1_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440E59	1_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FEE26	1_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FEEDB	1_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452E90	1_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FCE93	1_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344AD00	1_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DCD1F	1_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343ADE0	1_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03458DBF	1_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440C00	1_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430CF2	1_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0CB5	1_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342D34C	1_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F132D	1_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0348739A	1_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345B2C0	1_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E12ED	1_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345D2F0	1_2_0345D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034452A0	1_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347516C	1_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342F172	1_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350B16B	1_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344B1B0	1_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EF0CC	1_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034470C0	1_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F70E9	1_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF0E0	1_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF7B0	1_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03485630	1_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F16CC	1_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7571	1_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035095C3	1_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DD5B0	1_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03431460	1_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF43F	1_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFB76	1_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B5BF0	1_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347DBF9	1_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345FB80	1_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFA49	1_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7A46	1_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B3A6C	1_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EDAC6	1_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DDAAC	1_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03485AA0	1_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E1AA3	1_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03449950	1_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345B950	1_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D5910	1_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AD800	1_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034438E0	1_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFF09	1_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03403FD2	1_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03403FD5	1_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03441F92	1_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFFB1	1_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03449EB0	1_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03443D40	1_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F1D5A	1_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7D73	1_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345FDC0	1_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B9C32	1_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFCF2	1_2_034FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CA036	1_2_031CA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CB232	1_2_031CB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C1082	1_2_031C1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CE5CD	1_2_031CE5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C5B30	1_2_031C5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C5B32	1_2_031C5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C8912	1_2_031C8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C2D02	1_2_031C2D02
Source: C:\Windows\explorer.exe	Code function: 2_2_0E636232	2_2_0E636232
Source: C:\Windows\explorer.exe	Code function: 2_2_0E635036	2_2_0E635036
Source: C:\Windows\explorer.exe	Code function: 2_2_0E62C082	2_2_0E62C082
Source: C:\Windows\explorer.exe	Code function: 2_2_0E630B32	2_2_0E630B32
Source: C:\Windows\explorer.exe	Code function: 2_2_0E630B30	2_2_0E630B30
Source: C:\Windows\explorer.exe	Code function: 2_2_0E62DD02	2_2_0E62DD02
Source: C:\Windows\explorer.exe	Code function: 2_2_0E633912	2_2_0E633912
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6395CD	2_2_0E6395CD
Source: C:\Windows\explorer.exe	Code function: 2_2_10AB5082	2_2_10AB5082
Source: C:\Windows\explorer.exe	Code function: 2_2_10ABE036	2_2_10ABE036
Source: C:\Windows\explorer.exe	Code function: 2_2_10AC25CD	2_2_10AC25CD
Source: C:\Windows\explorer.exe	Code function: 2_2_10AB6D02	2_2_10AB6D02
Source: C:\Windows\explorer.exe	Code function: 2_2_10ABC912	2_2_10ABC912
Source: C:\Windows\explorer.exe	Code function: 2_2_10ABF232	2_2_10ABF232
Source: C:\Windows\explorer.exe	Code function: 2_2_10AB9B32	2_2_10AB9B32
Source: C:\Windows\explorer.exe	Code function: 2_2_10AB9B30	2_2_10AB9B30

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 103 times
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: String function: 002F6AC0 appears 42 times
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: String function: 002FF8A0 appears 35 times
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: String function: 002EEC2F appears 68 times

Sample file is different than original file name gathered from version info

Source: (2).docx.exe, 00000000.00000003.1711064108.0000000003C2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs (2).docx.exe
Source: (2).docx.exe, 00000000.00000003.1706891600.0000000003A83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs (2).docx.exe

Uses 32bit PE files

Source: (2).docx.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Yara signature match

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.4170679439.000000000E64E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: (2).docx.exe PID: 7308, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@108/3@11/0

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0031CE7A GetLastError,FormatMessageW,

0_2_0031CE7A

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0030AB84
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0030B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0030B134

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0031E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0031E1FD

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00316532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00316532

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0032C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0032C18C

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002D406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002D406B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03

Source: C:\Users\user\Desktop\(2).docx.exe

File created: C:\Users\user\AppData\Local\Temp\aut89B9.tmp

Jump to behavior

Source: (2).docx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\(2).docx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\(2).docx.exe "C:\Users\user\Desktop\(2).docx.exe"
Source: C:\Users\user\Desktop\(2).docx.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\(2).docx.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: (2).docx.exe

Static file information: File size 1310208 > 1048576

Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: (2).docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: (2).docx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmstp.pdbGCTL source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp

Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: (2).docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002EE01E LoadLibraryA,GetProcAddress,

0_2_002EE01E

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FC09E push esi; ret	0_2_002FC0A0
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FC187 push edi; ret	0_2_002FC189
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0033C8BC push esi; ret	0_2_0033C8BE
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F6B05 push ecx; ret	0_2_002F6B18
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031B2B1 push FFFFFF8Bh; iretd	0_2_0031B2B3
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FBDAA push edi; ret	0_2_002FBDAC
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002FBEC3 push esi; ret	0_2_002FBEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404905 push eax; iretd	1_2_0040490C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417AD0 push ecx; ret	1_2_00417AD1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416431 push 00000063h; ret	1_2_00416438
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D4E2 push eax; ret	1_2_0041D4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D4EB push eax; ret	1_2_0041D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409C84 push esi; ret	1_2_00409C85
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D495 push eax; ret	1_2_0041D4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D54C push eax; ret	1_2_0041D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041973C push esi; retf	1_2_0041973D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340225F pushad ; ret	1_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034027FA pushad ; ret	1_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD push ecx; mov dword ptr [esp], ecx	1_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340283D push eax; iretd	1_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340135E push eax; iretd	1_2_03401369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CEB1E push esp; retn 0000h	1_2_031CEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CEB02 push esp; retn 0000h	1_2_031CEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031CE9B5 push esp; retn 0000h	1_2_031CEAE7
Source: C:\Windows\explorer.exe	Code function: 2_2_0E639B02 push esp; retn 0000h	2_2_0E639B03
Source: C:\Windows\explorer.exe	Code function: 2_2_0E639B1E push esp; retn 0000h	2_2_0E639B1F
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6399B5 push esp; retn 0000h	2_2_0E639AE7
Source: C:\Windows\explorer.exe	Code function: 2_2_10AC29B5 push esp; retn 0000h	2_2_10AC2AE7
Source: C:\Windows\explorer.exe	Code function: 2_2_10AC2B02 push esp; retn 0000h	2_2_10AC2B03
Source: C:\Windows\explorer.exe	Code function: 2_2_10AC2B1E push esp; retn 0000h	2_2_10AC2B1F

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.exe

Static PE information: (2).docx.exe

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00338111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00338111
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002EEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002EEB42

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_002F123A

Source: C:\Users\user\Desktop\(2).docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(2).docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\(2).docx.exe	API/Special instruction interceptor: Address: 12593EC
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 26E9904 second address: 26E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 26E9B7E second address: 26E9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00409AB0 rdtsc

1_2_00409AB0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1402	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8546	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 8100	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 1873	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\(2).docx.exe

Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\(2).docx.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\(2).docx.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7748	Thread sleep count: 1402 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7748	Thread sleep time: -2804000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7748	Thread sleep count: 8546 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7748	Thread sleep time: -17092000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516	Thread sleep count: 8100 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516	Thread sleep time: -16200000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516	Thread sleep count: 1873 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516	Thread sleep time: -3746000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00316CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00316CA9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_003160DD
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_003163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_003163F9
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0031EB60
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031F56F FindFirstFileW,FindClose,	0_2_0031F56F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0031F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0031F5FA
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00321B2F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00321C8A
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00321F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00321F94

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002EDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002EDDC0

Source: explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.1723443132.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D.exe??f
Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: explorer.exe, 00000002.00000002.4164107496.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000002.4164107496.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.1717133268.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000002.4163062009.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00409AB0 rdtsc

1_2_00409AB0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0040ACF0 LdrLoadDll,

1_2_0040ACF0

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00326AAF BlockInput,

0_2_00326AAF

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002D3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002D3D19

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00303920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00303920

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002EE01E LoadLibraryA,GetProcAddress,

0_2_002EE01E

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_01258048 mov eax, dword ptr fs:[00000030h]	0_2_01258048
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_01259658 mov eax, dword ptr fs:[00000030h]	0_2_01259658
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_012596B8 mov eax, dword ptr fs:[00000030h]	0_2_012596B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov ecx, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA352 mov eax, dword ptr fs:[00000030h]	1_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D8350 mov ecx, dword ptr fs:[00000030h]	1_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350634F mov eax, dword ptr fs:[00000030h]	1_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D437C mov eax, dword ptr fs:[00000030h]	1_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C310 mov ecx, dword ptr fs:[00000030h]	1_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450310 mov ecx, dword ptr fs:[00000030h]	1_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov ecx, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC3CD mov eax, dword ptr fs:[00000030h]	1_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B63C0 mov eax, dword ptr fs:[00000030h]	1_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]	1_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]	1_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034663FF mov eax, dword ptr fs:[00000030h]	1_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]	1_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]	1_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B8243 mov eax, dword ptr fs:[00000030h]	1_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B8243 mov ecx, dword ptr fs:[00000030h]	1_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350625D mov eax, dword ptr fs:[00000030h]	1_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A250 mov eax, dword ptr fs:[00000030h]	1_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436259 mov eax, dword ptr fs:[00000030h]	1_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]	1_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]	1_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342826B mov eax, dword ptr fs:[00000030h]	1_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342823B mov eax, dword ptr fs:[00000030h]	1_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035062D6 mov eax, dword ptr fs:[00000030h]	1_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]	1_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]	1_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]	1_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]	1_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov ecx, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C156 mov eax, dword ptr fs:[00000030h]	1_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C8158 mov eax, dword ptr fs:[00000030h]	1_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]	1_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]	1_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]	1_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]	1_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov ecx, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F0115 mov eax, dword ptr fs:[00000030h]	1_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460124 mov eax, dword ptr fs:[00000030h]	1_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]	1_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]	1_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035061E5 mov eax, dword ptr fs:[00000030h]	1_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034601F8 mov eax, dword ptr fs:[00000030h]	1_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03470185 mov eax, dword ptr fs:[00000030h]	1_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]	1_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]	1_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]	1_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]	1_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432050 mov eax, dword ptr fs:[00000030h]	1_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6050 mov eax, dword ptr fs:[00000030h]	1_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345C073 mov eax, dword ptr fs:[00000030h]	1_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4000 mov ecx, dword ptr fs:[00000030h]	1_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A020 mov eax, dword ptr fs:[00000030h]	1_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C020 mov eax, dword ptr fs:[00000030h]	1_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6030 mov eax, dword ptr fs:[00000030h]	1_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B20DE mov eax, dword ptr fs:[00000030h]	1_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034380E9 mov eax, dword ptr fs:[00000030h]	1_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B60E0 mov eax, dword ptr fs:[00000030h]	1_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034720F0 mov ecx, dword ptr fs:[00000030h]	1_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343208A mov eax, dword ptr fs:[00000030h]	1_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034280A0 mov eax, dword ptr fs:[00000030h]	1_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C80A8 mov eax, dword ptr fs:[00000030h]	1_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F60B8 mov eax, dword ptr fs:[00000030h]	1_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov esi, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430750 mov eax, dword ptr fs:[00000030h]	1_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE75D mov eax, dword ptr fs:[00000030h]	1_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]	1_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]	1_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4755 mov eax, dword ptr fs:[00000030h]	1_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438770 mov eax, dword ptr fs:[00000030h]	1_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C700 mov eax, dword ptr fs:[00000030h]	1_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430710 mov eax, dword ptr fs:[00000030h]	1_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460710 mov eax, dword ptr fs:[00000030h]	1_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]	1_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]	1_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov ecx, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AC730 mov eax, dword ptr fs:[00000030h]	1_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B07C3 mov eax, dword ptr fs:[00000030h]	1_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]	1_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]	1_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D678E mov eax, dword ptr fs:[00000030h]	1_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034307AF mov eax, dword ptr fs:[00000030h]	1_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E47A0 mov eax, dword ptr fs:[00000030h]	1_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344C640 mov eax, dword ptr fs:[00000030h]	1_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]	1_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]	1_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]	1_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]	1_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03462674 mov eax, dword ptr fs:[00000030h]	1_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE609 mov eax, dword ptr fs:[00000030h]	1_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472619 mov eax, dword ptr fs:[00000030h]	1_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E627 mov eax, dword ptr fs:[00000030h]	1_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03466620 mov eax, dword ptr fs:[00000030h]	1_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03468620 mov eax, dword ptr fs:[00000030h]	1_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343262C mov eax, dword ptr fs:[00000030h]	1_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]	1_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]	1_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]	1_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]	1_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034666B0 mov eax, dword ptr fs:[00000030h]	1_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]	1_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]	1_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6500 mov eax, dword ptr fs:[00000030h]	1_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]	1_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]	1_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034365D0 mov eax, dword ptr fs:[00000030h]	1_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034325E0 mov eax, dword ptr fs:[00000030h]	1_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]	1_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]	1_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432582 mov eax, dword ptr fs:[00000030h]	1_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432582 mov ecx, dword ptr fs:[00000030h]	1_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464588 mov eax, dword ptr fs:[00000030h]	1_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E59C mov eax, dword ptr fs:[00000030h]	1_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]	1_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]	1_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA456 mov eax, dword ptr fs:[00000030h]	1_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342645D mov eax, dword ptr fs:[00000030h]	1_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345245A mov eax, dword ptr fs:[00000030h]	1_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC460 mov ecx, dword ptr fs:[00000030h]	1_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C427 mov eax, dword ptr fs:[00000030h]	1_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034304E5 mov ecx, dword ptr fs:[00000030h]	1_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA49A mov eax, dword ptr fs:[00000030h]	1_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034364AB mov eax, dword ptr fs:[00000030h]	1_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034644B0 mov ecx, dword ptr fs:[00000030h]	1_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]	1_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]	1_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]	1_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]	1_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FAB40 mov eax, dword ptr fs:[00000030h]	1_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D8B42 mov eax, dword ptr fs:[00000030h]	1_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428B50 mov eax, dword ptr fs:[00000030h]	1_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEB50 mov eax, dword ptr fs:[00000030h]	1_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342CB7E mov eax, dword ptr fs:[00000030h]	1_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504B00 mov eax, dword ptr fs:[00000030h]	1_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]	1_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]	1_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]	1_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]	1_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EBFC mov eax, dword ptr fs:[00000030h]	1_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]	1_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]	1_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]	1_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]	1_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEA60 mov eax, dword ptr fs:[00000030h]	1_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]	1_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]	1_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BCA11 mov eax, dword ptr fs:[00000030h]	1_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA24 mov eax, dword ptr fs:[00000030h]	1_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EA2E mov eax, dword ptr fs:[00000030h]	1_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]	1_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]	1_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430AD0 mov eax, dword ptr fs:[00000030h]	1_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]	1_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]	1_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]	1_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]	1_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504A80 mov eax, dword ptr fs:[00000030h]	1_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03468A90 mov edx, dword ptr fs:[00000030h]	1_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]	1_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]	1_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486AA4 mov eax, dword ptr fs:[00000030h]	1_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0946 mov eax, dword ptr fs:[00000030h]	1_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504940 mov eax, dword ptr fs:[00000030h]	1_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov edx, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]	1_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]	1_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC97C mov eax, dword ptr fs:[00000030h]	1_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]	1_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]	1_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC912 mov eax, dword ptr fs:[00000030h]	1_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]	1_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]	1_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B892A mov eax, dword ptr fs:[00000030h]	1_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C892B mov eax, dword ptr fs:[00000030h]	1_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C69C0 mov eax, dword ptr fs:[00000030h]	1_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034649D0 mov eax, dword ptr fs:[00000030h]	1_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]	1_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]	1_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]	1_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]	1_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov esi, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03442840 mov ecx, dword ptr fs:[00000030h]	1_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460854 mov eax, dword ptr fs:[00000030h]	1_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]	1_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]	1_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]	1_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]	1_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]	1_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]	1_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC810 mov eax, dword ptr fs:[00000030h]	1_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov ecx, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A830 mov eax, dword ptr fs:[00000030h]	1_2_0346A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]	1_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]	1_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E8C0 mov eax, dword ptr fs:[00000030h]	1_2_0345E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035008C0 mov eax, dword ptr fs:[00000030h]	1_2_035008C0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_0030A66C

Enables debug privileges

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_002F81AC
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_002F8189 SetUnhandledExceptionFilter,		0_2_002F8189

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\(2).docx.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 2580			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 2580			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 370000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\(2).docx.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 9C1008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0030B106 LogonUserW,

0_2_0030B106

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002D3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002D3D19

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0031411C SendInput,keybd_event,

0_2_0031411C

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_003174BB mouse_event,

0_2_003174BB

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\(2).docx.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_0030A66C

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_003171FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003171FA

Source: (2).docx.exe, explorer.exe, 00000002.00000002.4163164050.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159983624.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: (2).docx.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: explorer.exe, 00000002.00000000.1715123564.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002F65C4 cpuid

0_2_002F65C4

Source: C:\Users\user\Desktop\(2).docx.exe

0_2_0032091D

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_0034B340 GetUserNameW,

0_2_0034B340

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_00301E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00301E8E

Source: C:\Users\user\Desktop\(2).docx.exe

Code function: 0_2_002EDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002EDDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: (2).docx.exe	Binary or memory string: WIN_81
Source: (2).docx.exe	Binary or memory string: WIN_XP
Source: (2).docx.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: (2).docx.exe	Binary or memory string: WIN_XPe
Source: (2).docx.exe	Binary or memory string: WIN_VISTA
Source: (2).docx.exe	Binary or memory string: WIN_7
Source: (2).docx.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_00328C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00328C4F
Source: C:\Users\user\Desktop\(2).docx.exe	Code function: 0_2_0032923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0032923B

ID:	1560294
Product:	CloudBasic
Start time:	16:25:15
Start date:	21.11.2024
Sample:	(2).docx.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8c01c51ef925e81212d6f39c098fe65f
SHA1:	94404d75e90260be4bdea4d3f76d1cab1deca5ff
SHA256:	f03d10d6d5be51c58642517465216d686f029cb1f85266939eed886f85e68dda
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat	JSON data	5D20D9B3F928AC964E07C561FD8A3F42	B702BE149FCF94831A975F2CD06B2DFE020D9632	59A4F22870D7A7DC3339917C89FF6AF09FA762AF39F0624338FDDFF631730492
C:\Users\user\AppData\Local\Temp\aut89B9.tmp	data	6688EF6B7E0333FAF7D2D73C2B6FB1FC	90BCCFE3D0A858715614FC1962F9269BB1DAF310	512218787D6145CCC0ADEECB12269648CFB57008CB4729BA4B6D6BE9BF94C1C2
C:\Users\user\AppData\Local\Temp\gobioid	data	76C672ACB098C8658729EA7E6491A611	F4D7186FECD66850FC339870B1F7EE89DC27F883	5C48318C5E0A7B71DD2F84C1CBB7A83BFCDD3DF6A4CB2F05BBBA493D316D5524

Windows Analysis Report
(2).docx.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report (2).docx.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report
(2).docx.exe

Malware Threat Intel
Provided by