Windows Analysis Report
NEW ORDER_.exe

Overview

General Information

Sample name: NEW ORDER_.exe
Analysis ID: 1560971
MD5: 1a8ae43a449f63e9f91d429fe7b21a18
SHA1: abd2a58b8df340f0791eaaf522841e6f5484ce13
SHA256: 87e77805c61d64114809ab00f0d224e261109e968300ae193c0a9024caa97807
Tags: exeuser-James_inthe_box
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Reads the DNS cache
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.9net88.net/ge07/"], "decoy": ["amyard.shop", "eloshost.xyz", "g18q11a.top", "orensic-vendor-735524320.click", "ithin-ksvodn.xyz", "xhyx.top", "elonix-traceglow.pro", "cillascrewedsedroth.cfd", "wner-nyquh.xyz", "reyhazeusa.shop", "esmellretaperetotal.cfd", "hqm-during.xyz", "pipagtxcorrelo.xyz", "lray-civil.xyz", "apybarameme.xyz", "rbuds.shop", "hild-fcudh.xyz", "rkgexg.top", "estwestcottwines.shop", "giyztm.xyz", "epehr.pics", "lways-vhyrp.xyz", "acifictechnologycctv.net", "iscinddocenaemlynne.cfd", "ridesmaidgiftsboutiqueki.shop", "ubtleclothingco.fashion", "hemicans.xyz", "ebaoge318.top", "zoc-marriage.xyz", "ngeribe2.homes", "oal-ahzgwo.xyz", "eries-htii.xyz", "ool-covers76.xyz", "ecurityemployment.today", "croom.net", "f7y2i9fgm.xyz", "earch-lawyer-consultation.today", "066iwx2t.shop", "ound-omagf.xyz", "ivglass.xyz", "fdyh-investment.xyz", "yegle.net", "eader-aaexvn.xyz", "dvle-father.xyz", "onsfskfsmpfssfpewqdsawqe.xyz", "ffect-xedzl.xyz", "ood-packaging-jobs-brasil.today", "lasterdeals.shop", "ehkd.top", "pm-22-ns-2.click", "ocockbowerlybrawer.cfd", "ostcanadantpl.top", "vrkof-point.xyz", "lsader.app", "nce-ystyx.xyz", "azl.pro", "ea-yogkkb.xyz", "isit-txax.xyz", "rowadservepros.net", "6282.xyz", "roduct-xgky.xyz", "wner-nyquh.xyz", "sfmoreservicesllc.lat", "rasko.net"]}
Multi AV Scanner detection for submitted file
Source: NEW ORDER_.exe ReversingLabs: Detection: 65%
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: NEW ORDER_.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: NEW ORDER_.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: ipconfig.pdb source: svchost.exe, 00000002.00000002.1374088105.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1373711081.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374368775.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000005.00000002.3748987818.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: ipconfig.pdbGCTL source: svchost.exe, 00000002.00000002.1374088105.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1373711081.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374368775.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3748987818.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: NEW ORDER_.exe, 00000000.00000003.1310978306.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, NEW ORDER_.exe, 00000000.00000003.1311575770.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1318911457.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1320775755.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374502488.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374502488.0000000003300000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3750816101.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3750816101.000000000364E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.1376396175.000000000330A000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.1374209665.0000000003148000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: NEW ORDER_.exe, 00000000.00000003.1310978306.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, NEW ORDER_.exe, 00000000.00000003.1311575770.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1318911457.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1320775755.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374502488.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374502488.0000000003300000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000005.00000002.3750816101.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3750816101.000000000364E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.1376396175.000000000330A000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.1374209665.0000000003148000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000004.00000002.2404877912.0000000010B1F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3752195836.00000000039FF000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3749463893.0000000003052000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3766323699.000000000A37F000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000004.00000002.2404877912.0000000010B1F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3752195836.00000000039FF000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3749463893.0000000003052000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3766323699.000000000A37F000.00000004.80000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00736CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00736CA9
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_007360DD
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_007363F9
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0073EB60
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073F56F FindFirstFileW,FindClose, 0_2_0073F56F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0073F5FA
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00741B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00741B2F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00741C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00741C8A
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00741F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00741F94

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.9net88.net/ge07/
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00744EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00744EB5
Source: global traffic DNS traffic detected: DNS query: www.ood-packaging-jobs-brasil.today
Source: global traffic DNS traffic detected: DNS query: www.acifictechnologycctv.net
Source: global traffic DNS traffic detected: DNS query: www.reyhazeusa.shop
Source: global traffic DNS traffic detected: DNS query: www.ostcanadantpl.top
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: explorer.exe, 00000004.00000002.2384272099.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1327589479.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274116897.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3701991146.00000000098D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3763795534.00000000098D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000002.2384272099.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1327589479.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274116897.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3701991146.00000000098D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3763795534.00000000098D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000002.2384272099.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1327589479.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274116897.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3701991146.00000000098D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3763795534.00000000098D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.2384272099.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1327589479.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274116897.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3701991146.00000000098D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3763795534.00000000098D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000000.1327078946.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2385993948.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2385254686.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.3769483542.000000000C745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000000E.00000002.3769483542.000000000C745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.066iwx2t.shop
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.066iwx2t.shop/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.066iwx2t.shop/ge07/www.g18q11a.top
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.066iwx2t.shopReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.9net88.net
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.9net88.net/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.9net88.net/ge07/www.dvle-father.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.9net88.netReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.acifictechnologycctv.net
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.acifictechnologycctv.net/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.acifictechnologycctv.net/ge07/www.reyhazeusa.shop
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.acifictechnologycctv.netReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dvle-father.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dvle-father.xyz/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dvle-father.xyz/ge07/www.yegle.net
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dvle-father.xyzReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ehkd.top
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ehkd.top/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ehkd.top/ge07/www.ivglass.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ehkd.topReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epehr.pics
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epehr.pics/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epehr.pics/ge07/www.ngeribe2.homes
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epehr.picsReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f7y2i9fgm.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f7y2i9fgm.xyz/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f7y2i9fgm.xyz/ge07/www.giyztm.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f7y2i9fgm.xyzReferer:
Source: explorer.exe, 00000004.00000000.1325301295.00000000071B2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.g18q11a.top
Source: explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.g18q11a.top/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.g18q11a.topReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giyztm.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giyztm.xyz/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giyztm.xyz/ge07/www.epehr.pics
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giyztm.xyzReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ivglass.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ivglass.xyz/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ivglass.xyz/ge07/www.nce-ystyx.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ivglass.xyzReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nce-ystyx.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nce-ystyx.xyz/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nce-ystyx.xyz/ge07/www.9net88.net
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nce-ystyx.xyzReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ngeribe2.homes
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ngeribe2.homes/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ngeribe2.homes/ge07/www.ehkd.top
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ngeribe2.homesReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ood-packaging-jobs-brasil.today
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ood-packaging-jobs-brasil.today/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ood-packaging-jobs-brasil.today/ge07/www.acifictechnologycctv.net
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ood-packaging-jobs-brasil.todayReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ostcanadantpl.top
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ostcanadantpl.top/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ostcanadantpl.top/ge07/www.f7y2i9fgm.xyz
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ostcanadantpl.topReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reyhazeusa.shop
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reyhazeusa.shop/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reyhazeusa.shop/ge07/www.ostcanadantpl.top
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reyhazeusa.shopReferer:
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yegle.net
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yegle.net/ge07/
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yegle.net/ge07/www.066iwx2t.shop
Source: explorer.exe, 00000004.00000003.2272196509.000000000C506000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2403553676.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274659341.000000000C54B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yegle.netReferer:
Source: explorer.exe, 00000004.00000000.1327589479.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000004.00000000.1327589479.000000000913F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.2387608443.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3698685262.0000000009AD1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3764000347.0000000009AD1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2452509158.0000000009AD1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2440790966.0000000009AD1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2466769749.0000000009AD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000002.3764000347.0000000009916000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000000.1327589479.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008F09000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000003.2466769749.00000000099D2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3764000347.00000000099B4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3698685262.00000000099B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows??K
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000003.2452509158.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2440790966.0000000009A71000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2466769749.00000000099D2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3764000347.00000000099B4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3698685262.00000000099B4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2450949413.0000000009A61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?=
Source: explorer.exe, 00000004.00000000.1325301295.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2382491394.0000000007276000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000004.00000000.1327589479.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2466769749.00000000099D2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3764000347.00000000099B4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3698685262.00000000099B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-dark
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gAHG-dark
Source: explorer.exe, 00000004.00000002.2395472104.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1330403346.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2467440128.0000000009B49000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2468224390.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2471104315.0000000009B42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2472316992.0000000009B42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12lNhl.img
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXV829.img
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBUvpML.img
Source: explorer.exe, 00000004.00000002.2395472104.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1330403346.000000000C091000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000E.00000003.2467440128.0000000009B49000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2468224390.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2471104315.0000000009B42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2472316992.0000000009B42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://outlook.comOB
Source: explorer.exe, 00000004.00000002.2395472104.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1330403346.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2466769749.0000000009B26000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2467538759.0000000009B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000003.2274146619.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2389749148.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1327589479.00000000090F2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000004.00000002.2395472104.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1330403346.000000000C091000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000E.00000003.2467440128.0000000009B49000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2468224390.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2471104315.0000000009B42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2472316992.0000000009B42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://word.office.com%I
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-u
Source: explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/the-syrupy-ingredient-that-totally-enhances-oatmeal-r
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/senator-questions-w
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/play/g
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/play/games/bubbly
Source: explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/paul-finebaum-ranks-his-top-four-college-football-teams-this-
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000004.00000002.2382491394.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1325301295.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2394648634.0000000007AF2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753814442.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2384619575.0000000007AE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2391403988.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2389058512.0000000007ADA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000004.00000000.1325301295.00000000071B2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.pollensense.com/
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00746B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00746B0C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00746D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00746D07
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00746B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00746B0C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00732B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00732B37

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2404261388.000000000E470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: NEW ORDER_.exe PID: 7456, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7532, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: ipconfig.exe PID: 7628, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: This is a third-party compiled AutoIt script. 0_2_006F3D19
Source: NEW ORDER_.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: NEW ORDER_.exe, 00000000.00000002.1319484699.000000000079E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b6b21f48-8
Source: NEW ORDER_.exe, 00000000.00000002.1319484699.000000000079E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: rSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_c4ac1118-6
Source: NEW ORDER_.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_bc211644-7
Source: NEW ORDER_.exe String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_04ae84c3-9
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: NEW ORDER_.exe
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\ipconfig.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A320 NtCreateFile, 2_2_0041A320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A3D0 NtReadFile, 2_2_0041A3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A450 NtClose, 2_2_0041A450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A500 NtAllocateVirtualMemory, 2_2_0041A500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A31D NtCreateFile, 2_2_0041A31D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A44A NtClose, 2_2_0041A44A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372B60 NtClose,LdrInitializeThunk, 2_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372AD0 NtReadFile,LdrInitializeThunk, 2_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372F30 NtCreateSection,LdrInitializeThunk, 2_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372FB0 NtResumeThread,LdrInitializeThunk, 2_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372F90 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372FE0 NtCreateFile,LdrInitializeThunk, 2_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372E80 NtReadVirtualMemory,LdrInitializeThunk, 2_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372D30 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372D10 NtMapViewOfSection,LdrInitializeThunk, 2_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372DD0 NtDelayExecution,LdrInitializeThunk, 2_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372CA0 NtQueryInformationToken,LdrInitializeThunk, 2_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03374340 NtSetContextThread, 2_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03374650 NtSuspendThread, 2_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372BA0 NtEnumerateValueKey, 2_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372B80 NtQueryInformationFile, 2_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372BE0 NtQueryValueKey, 2_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372AB0 NtWaitForSingleObject, 2_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372AF0 NtWriteFile, 2_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372F60 NtCreateProcessEx, 2_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372FA0 NtQuerySection, 2_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372E30 NtWriteVirtualMemory, 2_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372EE0 NtQueueApcThread, 2_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372D00 NtSetInformationFile, 2_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372DB0 NtEnumerateKey, 2_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372C00 NtQueryInformationProcess, 2_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372C60 NtCreateKey, 2_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372CF0 NtOpenProcess, 2_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372CC0 NtQueryVirtualMemory, 2_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03373010 NtOpenDirectoryObject, 2_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03373090 NtSetValueKey, 2_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033735C0 NtCreateMutant, 2_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033739B0 NtGetContextThread, 2_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03373D10 NtOpenProcessToken, 2_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03373D70 NtOpenThread, 2_2_03373D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0321A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 2_2_0321A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0321A042 NtQueryInformationProcess, 2_2_0321A042
Source: C:\Windows\explorer.exe Code function: 4_2_0E459E12 NtProtectVirtualMemory, 4_2_0E459E12
Source: C:\Windows\explorer.exe Code function: 4_2_0E458232 NtCreateFile, 4_2_0E458232
Source: C:\Windows\explorer.exe Code function: 4_2_0E459E0A NtProtectVirtualMemory, 4_2_0E459E0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522B60 NtClose,LdrInitializeThunk, 5_2_03522B60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522AD0 NtReadFile,LdrInitializeThunk, 5_2_03522AD0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522F30 NtCreateSection,LdrInitializeThunk, 5_2_03522F30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522FE0 NtCreateFile,LdrInitializeThunk, 5_2_03522FE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_03522EA0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_03522D10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522DD0 NtDelayExecution,LdrInitializeThunk, 5_2_03522DD0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_03522DF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_03522C70
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522C60 NtCreateKey,LdrInitializeThunk, 5_2_03522C60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_03522CA0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035235C0 NtCreateMutant,LdrInitializeThunk, 5_2_035235C0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03524340 NtSetContextThread, 5_2_03524340
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03524650 NtSuspendThread, 5_2_03524650
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522BF0 NtAllocateVirtualMemory, 5_2_03522BF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522BE0 NtQueryValueKey, 5_2_03522BE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522B80 NtQueryInformationFile, 5_2_03522B80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522BA0 NtEnumerateValueKey, 5_2_03522BA0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522AF0 NtWriteFile, 5_2_03522AF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522AB0 NtWaitForSingleObject, 5_2_03522AB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522F60 NtCreateProcessEx, 5_2_03522F60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522F90 NtProtectVirtualMemory, 5_2_03522F90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522FB0 NtResumeThread, 5_2_03522FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522FA0 NtQuerySection, 5_2_03522FA0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522E30 NtWriteVirtualMemory, 5_2_03522E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522EE0 NtQueueApcThread, 5_2_03522EE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522E80 NtReadVirtualMemory, 5_2_03522E80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522D00 NtSetInformationFile, 5_2_03522D00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522D30 NtUnmapViewOfSection, 5_2_03522D30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522DB0 NtEnumerateKey, 5_2_03522DB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522C00 NtQueryInformationProcess, 5_2_03522C00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522CC0 NtQueryVirtualMemory, 5_2_03522CC0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03522CF0 NtOpenProcess, 5_2_03522CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03523010 NtOpenDirectoryObject, 5_2_03523010
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03523090 NtSetValueKey, 5_2_03523090
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035239B0 NtGetContextThread, 5_2_035239B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03523D70 NtOpenThread, 5_2_03523D70
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03523D10 NtOpenProcessToken, 5_2_03523D10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00CAA3D0 NtReadFile, 5_2_00CAA3D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00CAA320 NtCreateFile, 5_2_00CAA320
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00CAA450 NtClose, 5_2_00CAA450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00CAA31D NtCreateFile, 5_2_00CAA31D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00CAA44A NtClose, 5_2_00CAA44A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03249BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 5_2_03249BAF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0324A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 5_2_0324A036
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03249BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_03249BB2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0324A042 NtQueryInformationProcess, 5_2_0324A042
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00736606: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00736606
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_0072ACC5
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007379D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_007379D3
Detected potential crypto function
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0071B043 0_2_0071B043
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00703200 0_2_00703200
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00703B70 0_2_00703B70
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072410F 0_2_0072410F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007102A4 0_2_007102A4
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006FE3E3 0_2_006FE3E3
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072038E 0_2_0072038E
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072467F 0_2_0072467F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007106D9 0_2_007106D9
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0075AACE 0_2_0075AACE
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00724BEF 0_2_00724BEF
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0071CCC1 0_2_0071CCC1
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006FAF50 0_2_006FAF50
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F6F07 0_2_006F6F07
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070B11F 0_2_0070B11F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0071D1B9 0_2_0071D1B9
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007531BC 0_2_007531BC
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072724D 0_2_0072724D
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0071123A 0_2_0071123A
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F93F0 0_2_006F93F0
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007313CA 0_2_007313CA
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070F563 0_2_0070F563
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F96C0 0_2_006F96C0
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073B6CC 0_2_0073B6CC
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F77B0 0_2_006F77B0
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007279C9 0_2_007279C9
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070FA57 0_2_0070FA57
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F9B60 0_2_006F9B60
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F7D19 0_2_006F7D19
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070FE6F 0_2_0070FE6F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00719ED0 0_2_00719ED0
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F7FA3 0_2_006F7FA3
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_015B4878 0_2_015B4878
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D89D 2_2_0041D89D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041C3F2 2_2_0041C3F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E4C 2_2_00409E4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E50 2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E79D 2_2_0041E79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FA352 2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_034003E6 2_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E3F0 2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C02C0 2_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DA118 2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03330100 2_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C8158 2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F41A2 2_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_034001AA 2_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F81CC 2_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03364750 2_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333C7C0 2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335C6E0 2_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340535 2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03400591 2_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E4420 2_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F2446 2_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EE4F6 2_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FAB40 2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F6BD7 2_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03356962 2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0340A9A6 2_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334A840 2_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03342840 2_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033268B8 2_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E8F0 2_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03360F30 2_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E2F30 2_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03382F28 2_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B4F40 2_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BEFA0 2_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334CFE0 2_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03332FC8 2_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FEE26 2_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340E59 2_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03352E90 2_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FCE93 2_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FEEDB 2_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DCD1F 2_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334AD00 2_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03358DBF 2_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333ADE0 2_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340C00 2_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0CB5 2_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03330CF2 2_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F132D 2_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332D34C 2_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0338739A 2_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033452A0 2_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E12ED 2_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335B2C0 2_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0340B16B 2_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332F172 2_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0337516C 2_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334B1B0 2_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F70E9 2_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FF0E0 2_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EF0CC 2_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033470C0 2_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FF7B0 2_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03385630 2_2_03385630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F16CC 2_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F7571 2_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_034095C3 2_2_034095C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DD5B0 2_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FF43F 2_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03331460 2_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FFB76 2_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335FB80 2_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B5BF0 2_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0337DBF9 2_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B3A6C 2_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FFA49 2_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F7A46 2_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DDAAC 2_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03385AA0 2_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E1AA3 2_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EDAC6 2_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D5910 2_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03349950 2_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335B950 2_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AD800 2_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033438E0 2_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FFF09 2_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FFFB1 2_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03341F92 2_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03303FD2 2_2_03303FD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03303FD5 2_2_03303FD5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03349EB0 2_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F7D73 2_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F1D5A 2_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03343D40 2_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335FDC0 2_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B9C32 2_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FFCF2 2_2_033FFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0321A036 2_2_0321A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0321B232 2_2_0321B232
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03211082 2_2_03211082
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0321E5CD 2_2_0321E5CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03215B30 2_2_03215B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03215B32 2_2_03215B32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03218912 2_2_03218912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03212D02 2_2_03212D02
Source: C:\Windows\explorer.exe Code function: 4_2_0E458232 4_2_0E458232
Source: C:\Windows\explorer.exe Code function: 4_2_0E457036 4_2_0E457036
Source: C:\Windows\explorer.exe Code function: 4_2_0E44E082 4_2_0E44E082
Source: C:\Windows\explorer.exe Code function: 4_2_0E44FD02 4_2_0E44FD02
Source: C:\Windows\explorer.exe Code function: 4_2_0E455912 4_2_0E455912
Source: C:\Windows\explorer.exe Code function: 4_2_0E452B30 4_2_0E452B30
Source: C:\Windows\explorer.exe Code function: 4_2_0E452B32 4_2_0E452B32
Source: C:\Windows\explorer.exe Code function: 4_2_0E45B5CD 4_2_0E45B5CD
Source: C:\Windows\explorer.exe Code function: 4_2_10865082 4_2_10865082
Source: C:\Windows\explorer.exe Code function: 4_2_1086E036 4_2_1086E036
Source: C:\Windows\explorer.exe Code function: 4_2_108725CD 4_2_108725CD
Source: C:\Windows\explorer.exe Code function: 4_2_10866D02 4_2_10866D02
Source: C:\Windows\explorer.exe Code function: 4_2_1086C912 4_2_1086C912
Source: C:\Windows\explorer.exe Code function: 4_2_1086F232 4_2_1086F232
Source: C:\Windows\explorer.exe Code function: 4_2_10869B32 4_2_10869B32
Source: C:\Windows\explorer.exe Code function: 4_2_10869B30 4_2_10869B30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00ED39FE 5_2_00ED39FE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AA352 5_2_035AA352
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035B03E6 5_2_035B03E6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034FE3F0 5_2_034FE3F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03590274 5_2_03590274
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035702C0 5_2_035702C0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03578158 5_2_03578158
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0358A118 5_2_0358A118
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034E0100 5_2_034E0100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A81CC 5_2_035A81CC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035B01AA 5_2_035B01AA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A41A2 5_2_035A41A2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03582000 5_2_03582000
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03514750 5_2_03514750
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F0770 5_2_034F0770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034EC7C0 5_2_034EC7C0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0350C6E0 5_2_0350C6E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F0535 5_2_034F0535
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035B0591 5_2_035B0591
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A2446 5_2_035A2446
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03594420 5_2_03594420
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0359E4F6 5_2_0359E4F6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AAB40 5_2_035AAB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A6BD7 5_2_035A6BD7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034EEA80 5_2_034EEA80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03506962 5_2_03506962
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F29A0 5_2_034F29A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035BA9A6 5_2_035BA9A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F2840 5_2_034F2840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034FA840 5_2_034FA840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0351E8F0 5_2_0351E8F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034D68B8 5_2_034D68B8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03564F40 5_2_03564F40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03510F30 5_2_03510F30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03592F30 5_2_03592F30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03532F28 5_2_03532F28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034E2FC8 5_2_034E2FC8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034FCFE0 5_2_034FCFE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0356EFA0 5_2_0356EFA0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F0E59 5_2_034F0E59
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AEE26 5_2_035AEE26
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AEEDB 5_2_035AEEDB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03502E90 5_2_03502E90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035ACE93 5_2_035ACE93
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0358CD1F 5_2_0358CD1F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034FAD00 5_2_034FAD00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034EADE0 5_2_034EADE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03508DBF 5_2_03508DBF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F0C00 5_2_034F0C00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034E0CF2 5_2_034E0CF2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03590CB5 5_2_03590CB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034DD34C 5_2_034DD34C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A132D 5_2_035A132D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0353739A 5_2_0353739A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0350B2C0 5_2_0350B2C0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035912ED 5_2_035912ED
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F52A0 5_2_034F52A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035BB16B 5_2_035BB16B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0352516C 5_2_0352516C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034DF172 5_2_034DF172
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034FB1B0 5_2_034FB1B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F70C0 5_2_034F70C0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0359F0CC 5_2_0359F0CC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A70E9 5_2_035A70E9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AF0E0 5_2_035AF0E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AF7B0 5_2_035AF7B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03535630 5_2_03535630
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A16CC 5_2_035A16CC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A7571 5_2_035A7571
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035B95C3 5_2_035B95C3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0358D5B0 5_2_0358D5B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034E1460 5_2_034E1460
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AF43F 5_2_035AF43F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AFB76 5_2_035AFB76
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03565BF0 5_2_03565BF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0352DBF9 5_2_0352DBF9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0350FB80 5_2_0350FB80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AFA49 5_2_035AFA49
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A7A46 5_2_035A7A46
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03563A6C 5_2_03563A6C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0359DAC6 5_2_0359DAC6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03535AA0 5_2_03535AA0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0358DAAC 5_2_0358DAAC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03591AA3 5_2_03591AA3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0350B950 5_2_0350B950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F9950 5_2_034F9950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03585910 5_2_03585910
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0355D800 5_2_0355D800
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F38E0 5_2_034F38E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AFF09 5_2_035AFF09
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034B3FD2 5_2_034B3FD2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034B3FD5 5_2_034B3FD5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F1F92 5_2_034F1F92
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AFFB1 5_2_035AFFB1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F9EB0 5_2_034F9EB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A1D5A 5_2_035A1D5A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_034F3D40 5_2_034F3D40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035A7D73 5_2_035A7D73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0350FDC0 5_2_0350FDC0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03569C32 5_2_03569C32
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_035AFCF2 5_2_035AFCF2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00CAC3F2 5_2_00CAC3F2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00CAE79D 5_2_00CAE79D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00C92D90 5_2_00C92D90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00C99E4C 5_2_00C99E4C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00C99E50 5_2_00C99E50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00C92FB0 5_2_00C92FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0324A036 5_2_0324A036
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03245B30 5_2_03245B30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03245B32 5_2_03245B32
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0324B232 5_2_0324B232
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03248912 5_2_03248912
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03241082 5_2_03241082
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_03242D02 5_2_03242D02
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_0324E5CD 5_2_0324E5CD
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0332B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03387E54 appears 111 times
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 03537E54 appears 111 times
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 0356F290 appears 105 times
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 034DB970 appears 277 times
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 0355EA12 appears 86 times
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 03525130 appears 58 times
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: String function: 0071F8A0 appears 35 times
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: String function: 00716AC0 appears 42 times
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: String function: 0070EC2F appears 68 times
One or more processes crash
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4056 -s 3536
Sample file is different than original file name gathered from version info
Source: NEW ORDER_.exe, 00000000.00000003.1311575770.00000000040FD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs NEW ORDER_.exe
Source: NEW ORDER_.exe, 00000000.00000003.1317167645.0000000003F53000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs NEW ORDER_.exe
Uses 32bit PE files
Source: NEW ORDER_.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2404261388.000000000E470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: NEW ORDER_.exe PID: 7456, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7532, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: ipconfig.exe PID: 7628, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@301/8@6/0
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073CE7A GetLastError,FormatMessageW, 0_2_0073CE7A
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072AB84 AdjustTokenPrivileges,CloseHandle, 0_2_0072AB84
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_0072B134
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_0073E1FD
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00736532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle, 0_2_00736532
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0074C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket, 0_2_0074C18C
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_006F406B
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4056
Source: C:\Users\user\Desktop\NEW ORDER_.exe File created: C:\Users\user~1\AppData\Local\Temp\aut7281.tmp Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\explorer.exe
Source: NEW ORDER_.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: NEW ORDER_.exe ReversingLabs: Detection: 65%
Source: unknown Process created: C:\Users\user\Desktop\NEW ORDER_.exe "C:\Users\user\Desktop\NEW ORDER_.exe"
Source: C:\Users\user\Desktop\NEW ORDER_.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEW ORDER_.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4056 -s 3536
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\NEW ORDER_.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEW ORDER_.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe" Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.shell.broker.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: idstore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wlidprov.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.applicationmodel.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: usermgrproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sndvolsso.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appextension.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cldapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: tiledatarepository.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: staterepository.core.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepository.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: languageoverlayutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinui.pcshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wincorlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.immersiveshell.serviceprovider.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: photometadatahandler.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ehstorshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: stobject.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wmiclnt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinui.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: applicationframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: holographicextensions.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: virtualmonitormanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: abovelockapphost.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: npsm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.shell.bluelightreduction.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.web.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.signals.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositorybroker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rtworkq.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: structuredquery.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.system.launcher.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.security.authentication.web.core.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.data.activities.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.ui.shell.windowtabmanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: notificationcontrollerps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.devices.enumeration.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: icu.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswb7.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: devdispitemprovider.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.core.textinput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowsudk.shellcommon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dictationmanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pcshellcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptngc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cflapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: shellcommoncommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: daxexec.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: container.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: batmeter.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: inputswitch.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: prnfldr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wpnclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: syncreg.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actioncenter.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pnidui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wscinterop.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wscapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: networkuxbroker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ethernetmediamanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ncsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dusmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: werconcpl.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: hcproviders.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wpdshserviceobj.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: portabledevicetypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: portabledeviceapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscobj.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srchadmin.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.search.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: synccenter.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: imapi2.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bluetoothapis.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bluetoothapis.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.xaml.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowsinternal.composableshell.desktophosting.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uiamanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: NEW ORDER_.exe Static file information: File size 1105408 > 1048576
Source: NEW ORDER_.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NEW ORDER_.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NEW ORDER_.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NEW ORDER_.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NEW ORDER_.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NEW ORDER_.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: NEW ORDER_.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ipconfig.pdb source: svchost.exe, 00000002.00000002.1374088105.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1373711081.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374368775.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000005.00000002.3748987818.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: ipconfig.pdbGCTL source: svchost.exe, 00000002.00000002.1374088105.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1373711081.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374368775.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3748987818.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: NEW ORDER_.exe, 00000000.00000003.1310978306.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, NEW ORDER_.exe, 00000000.00000003.1311575770.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1318911457.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1320775755.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374502488.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374502488.0000000003300000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3750816101.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3750816101.000000000364E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.1376396175.000000000330A000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.1374209665.0000000003148000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: NEW ORDER_.exe, 00000000.00000003.1310978306.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, NEW ORDER_.exe, 00000000.00000003.1311575770.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1318911457.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1320775755.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374502488.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1374502488.0000000003300000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000005.00000002.3750816101.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3750816101.000000000364E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.1376396175.000000000330A000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.1374209665.0000000003148000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000004.00000002.2404877912.0000000010B1F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3752195836.00000000039FF000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3749463893.0000000003052000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3766323699.000000000A37F000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000004.00000002.2404877912.0000000010B1F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3752195836.00000000039FF000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3749463893.0000000003052000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3766323699.000000000A37F000.00000004.80000000.00040000.00000000.sdmp
Source: NEW ORDER_.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NEW ORDER_.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NEW ORDER_.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NEW ORDER_.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NEW ORDER_.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070E01E LoadLibraryA,GetProcAddress, 0_2_0070E01E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070288B push 66007023h; retn 0076h 0_2_007028E1
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00716B05 push ecx; ret 0_2_00716B18
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_015B4ADF push edx; ret 0_2_015B4AF3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041285C push cs; retf 2_2_0041285F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00417008 pushfd ; retf 2_2_0041700F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004171EF push ds; iretd 2_2_004171FD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E992 push dword ptr [08CCB4BEh]; ret 2_2_0041E9AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E9B2 push dword ptr [0ECCDC24h]; ret 2_2_0041EACE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416A81 pushfd ; retf 2_2_00416A82
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00417ABC push edi; ret 2_2_00417ABD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040E46D push ebx; retf 2_2_0040E470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4CB push eax; ret 2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D52C push eax; ret 2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E530 push edi; ret 2_2_0041E532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004177BF push B417C20Bh; ret 2_2_004177C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0330225F pushad ; ret 2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033027FA pushad ; ret 2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx 2_2_033309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0330283D push eax; iretd 2_2_03302858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0321EB02 push esp; retn 0000h 2_2_0321EB03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0321EB1E push esp; retn 0000h 2_2_0321EB1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0321E9B5 push esp; retn 0000h 2_2_0321EAE7
Source: C:\Windows\explorer.exe Code function: 4_2_0E45BB02 push esp; retn 0000h 4_2_0E45BB03
Source: C:\Windows\explorer.exe Code function: 4_2_0E45BB1E push esp; retn 0000h 4_2_0E45BB1F
Source: C:\Windows\explorer.exe Code function: 4_2_0E45B9B5 push esp; retn 0000h 4_2_0E45BAE7
Source: C:\Windows\explorer.exe Code function: 4_2_108729B5 push esp; retn 0000h 4_2_10872AE7
Source: C:\Windows\explorer.exe Code function: 4_2_10872B02 push esp; retn 0000h 4_2_10872B03
Source: C:\Windows\explorer.exe Code function: 4_2_10872B1E push esp; retn 0000h 4_2_10872B1F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00ED570D push ecx; ret 5_2_00ED5720

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00758111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00758111
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0070EB42
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0071123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0071123A
Source: C:\Users\user\Desktop\NEW ORDER_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\explorer.exe System information queried: FirmwareTableInformation
Reads the DNS cache
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00ED3872 DnsGetCacheDataTableEx,DnsFree,DnsFree, 5_2_00ED3872
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\NEW ORDER_.exe API/Special instruction interceptor: Address: 15B449C
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFB2CECDA44
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\ipconfig.exe API/Special instruction interceptor: Address: 7FFB2CECDA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: C99904 second address: C9990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: C99B6E second address: C99B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9782 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 880 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 873 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Window / User API: threadDelayed 698 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Window / User API: threadDelayed 9274 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\NEW ORDER_.exe API coverage: 5.7 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 2.1 %
Source: C:\Windows\SysWOW64\ipconfig.exe API coverage: 1.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 7880 Thread sleep count: 9782 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7880 Thread sleep time: -19564000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7880 Thread sleep count: 162 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7880 Thread sleep time: -324000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 7788 Thread sleep count: 698 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 7788 Thread sleep time: -1396000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 7788 Thread sleep count: 9274 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 7788 Thread sleep time: -18548000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00736CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00736CA9
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_007360DD
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_007363F9
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0073EB60
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073F56F FindFirstFileW,FindClose, 0_2_0073F56F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0073F5FA
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00741B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00741B2F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00741C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00741C8A
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00741F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00741F94
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0070DDC0
Source: explorer.exe, 0000000E.00000003.2509700146.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\m<
Source: explorer.exe, 00000004.00000000.1323423529.0000000000C74000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000E.00000003.2450949413.0000000009A61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000E.00000003.2391794163.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 0000000E.00000003.2394648634.0000000007BE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\4
Source: explorer.exe, 0000000E.00000003.2389058512.0000000007B72000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&00000k
Source: explorer.exe, 00000004.00000000.1327589479.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2451435306.0000000009B33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2441823724.0000000009B2E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2446303633.0000000009B33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3764000347.0000000009B26000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3698685262.0000000009B26000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2466769749.0000000009B26000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2442349755.0000000009B33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2467538759.0000000009B26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000E.00000002.3748179691.00000000010C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000007
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 0000000E.00000003.2450949413.0000000009A61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000E.00000002.3769483542.000000000C89C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000E.00000003.2514697880.000000000C7FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: explorer.exe, 00000004.00000002.2387608443.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000002.2389749148.0000000009052000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000004.00000002.2387608443.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 0000000E.00000003.2515481085.000000000C9B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000E.00000003.2450949413.0000000009A61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4NECVMWar VMware SATA CD00
Source: explorer.exe, 0000000E.00000003.2514697880.000000000C7FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:s
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware20,1
Source: explorer.exe, 0000000E.00000003.2509700146.000000000C8B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}t
Source: explorer.exe, 0000000E.00000003.2514697880.000000000C7FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000004.00000003.2274116897.000000000730A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000004.00000000.1327589479.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008F27000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 0000000E.00000003.2509700146.000000000C8B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000002.3769483542.000000000C745000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}erActiU
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\|<
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 0000000E.00000002.3769483542.000000000C745000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000003.2394648634.0000000007BE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 0000000E.00000002.3769483542.000000000C916000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000Zp
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000E.00000002.3764000347.0000000009AE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3698685262.0000000009AE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2441823724.0000000009AE6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2440790966.0000000009AE5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2466769749.0000000009AE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 0000000E.00000003.2394648634.0000000007BE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\!;A&2
Source: explorer.exe, 0000000E.00000003.3698685262.0000000009913000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3764000347.0000000009916000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-GB\input.inf_loc
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\S<
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 0000000E.00000002.3748179691.00000000010C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000z
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}''B
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000004.00000003.2274116897.000000000730A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b},>\'
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@8
Source: explorer.exe, 0000000E.00000002.3769483542.000000000C916000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000003.2394607629.00000000098E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a
Source: explorer.exe, 00000004.00000000.1327589479.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2387608443.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 0000000E.00000002.3753814442.0000000007B72000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: explorer.exe, 00000004.00000002.2380887172.0000000003249000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9507e
Source: explorer.exe, 00000004.00000002.2387608443.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMWare
Source: explorer.exe, 00000004.00000002.2389749148.0000000009052000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 0000000E.00000003.2515481085.000000000CA03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.1323423529.0000000000C74000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\NEW ORDER_.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\explorer.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\explorer.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040ACE0 LdrLoadDll, 2_2_0040ACE0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00746AAF BlockInput, 0_2_00746AAF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_006F3D19
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00723920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 0_2_00723920
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070E01E LoadLibraryA,GetProcAddress, 0_2_0070E01E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_015B30C8 mov eax, dword ptr fs:[00000030h] 0_2_015B30C8
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_015B4768 mov eax, dword ptr fs:[00000030h] 0_2_015B4768
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_015B4708 mov eax, dword ptr fs:[00000030h] 0_2_015B4708
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0340634F mov eax, dword ptr fs:[00000030h] 2_2_0340634F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h] 2_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h] 2_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h] 2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h] 2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h] 2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D437C mov eax, dword ptr fs:[00000030h] 2_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h] 2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03408324 mov ecx, dword ptr fs:[00000030h] 2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h] 2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h] 2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h] 2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h] 2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h] 2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h] 2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h] 2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h] 2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h] 2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h] 2_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h] 2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h] 2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h] 2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h] 2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h] 2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h] 2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h] 2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h] 2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h] 2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033663FF mov eax, dword ptr fs:[00000030h] 2_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h] 2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h] 2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h] 2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h] 2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h] 2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h] 2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h] 2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h] 2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h] 2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h] 2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h] 2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h] 2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h] 2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h] 2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h] 2_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h] 2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h] 2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h] 2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h] 2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h] 2_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332823B mov eax, dword ptr fs:[00000030h] 2_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0340625D mov eax, dword ptr fs:[00000030h] 2_2_0340625D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h] 2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h] 2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h] 2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h] 2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332826B mov eax, dword ptr fs:[00000030h] 2_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h] 2_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336259 mov eax, dword ptr fs:[00000030h] 2_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h] 2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h] 2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h] 2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h] 2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h] 2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h] 2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_034062D6 mov eax, dword ptr fs:[00000030h] 2_2_034062D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h] 2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h] 2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h] 2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h] 2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h] 2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h] 2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h] 2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h] 2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h] 2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h] 2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h] 2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h] 2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h] 2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h] 2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03360124 mov eax, dword ptr fs:[00000030h] 2_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404164 mov eax, dword ptr fs:[00000030h] 2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404164 mov eax, dword ptr fs:[00000030h] 2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h] 2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h] 2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h] 2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h] 2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h] 2_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h] 2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h] 2_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h] 2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h] 2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h] 2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h] 2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h] 2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h] 2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h] 2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h] 2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h] 2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h] 2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h] 2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h] 2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h] 2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h] 2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h] 2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h] 2_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03370185 mov eax, dword ptr fs:[00000030h] 2_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h] 2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h] 2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h] 2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h] 2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h] 2_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h] 2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h] 2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h] 2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h] 2_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h] 2_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h] 2_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h] 2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h] 2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h] 2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h] 2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h] 2_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h] 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h] 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h] 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h] 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h] 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h] 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h] 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h] 2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h] 2_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03332050 mov eax, dword ptr fs:[00000030h] 2_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h] 2_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h] 2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h] 2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033280A0 mov eax, dword ptr fs:[00000030h] 2_2_033280A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h] 2_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333208A mov eax, dword ptr fs:[00000030h] 2_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h] 2_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h] 2_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h] 2_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h] 2_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h] 2_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h] 2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h] 2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h] 2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h] 2_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h] 2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h] 2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03330710 mov eax, dword ptr fs:[00000030h] 2_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03360710 mov eax, dword ptr fs:[00000030h] 2_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h] 2_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03338770 mov eax, dword ptr fs:[00000030h] 2_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h] 2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03330750 mov eax, dword ptr fs:[00000030h] 2_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h] 2_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h] 2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h] 2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h] 2_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336674D mov esi, dword ptr fs:[00000030h] 2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h] 2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h] 2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033307AF mov eax, dword ptr fs:[00000030h] 2_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h] 2_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D678E mov eax, dword ptr fs:[00000030h] 2_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h] 2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h] 2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h] 2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h] 2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h] 2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h] 2_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h] 2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h] 2_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h] 2_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03366620 mov eax, dword ptr fs:[00000030h] 2_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03368620 mov eax, dword ptr fs:[00000030h] 2_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333262C mov eax, dword ptr fs:[00000030h] 2_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03372619 mov eax, dword ptr fs:[00000030h] 2_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h] 2_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h] 2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h] 2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h] 2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h] 2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h] 2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h] 2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h] 2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03362674 mov eax, dword ptr fs:[00000030h] 2_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h] 2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h] 2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h] 2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h] 2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h] 2_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h] 2_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h] 2_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h] 2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h] 2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h] 2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h] 2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h] 2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h] 2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h] 2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h] 2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h] 2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h] 2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h] 2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h] 2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h] 2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h] 2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h] 2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h] 2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h] 2_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h] 2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h] 2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h] 2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h] 2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h] 2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h] 2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h] 2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h] 2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h] 2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h] 2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h] 2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h] 2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h] 2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h] 2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h] 2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h] 2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h] 2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h] 2_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03332582 mov eax, dword ptr fs:[00000030h] 2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h] 2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03364588 mov eax, dword ptr fs:[00000030h] 2_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h] 2_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h] 2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h] 2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h] 2_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h] 2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h] 2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h] 2_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h] 2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h] 2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h] 2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h] 2_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h] 2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h] 2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h] 2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h] 2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h] 2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h] 2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h] 2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h] 2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h] 2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h] 2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h] 2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h] 2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h] 2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h] 2_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h] 2_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332645D mov eax, dword ptr fs:[00000030h] 2_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335245A mov eax, dword ptr fs:[00000030h] 2_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h] 2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h] 2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h] 2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h] 2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h] 2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h] 2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h] 2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h] 2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h] 2_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h] 2_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033364AB mov eax, dword ptr fs:[00000030h] 2_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h] 2_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h] 2_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h] 2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h] 2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h] 2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h] 2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h] 2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h] 2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h] 2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h] 2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h] 2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404B00 mov eax, dword ptr fs:[00000030h] 2_2_03404B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h] 2_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03328B50 mov eax, dword ptr fs:[00000030h] 2_2_03328B50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h] 2_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h] 2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h] 2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h] 2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h] 2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h] 2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h] 2_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h] 2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h] 2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h] 2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h] 2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h] 2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h] 2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h] 2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h] 2_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h] 2_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h] 2_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h] 2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h] 2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h] 2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h] 2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h] 2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h] 2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h] 2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h] 2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h] 2_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h] 2_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h] 2_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h] 2_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h] 2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h] 2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h] 2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h] 2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h] 2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h] 2_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h] 2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h] 2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h] 2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h] 2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h] 2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h] 2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h] 2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h] 2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h] 2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h] 2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h] 2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h] 2_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h] 2_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h] 2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h] 2_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h] 2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h] 2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h] 2_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h] 2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h] 2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h] 2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h] 2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h] 2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03404940 mov eax, dword ptr fs:[00000030h] 2_2_03404940
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B892A mov eax, dword ptr fs:[00000030h] 2_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C892B mov eax, dword ptr fs:[00000030h] 2_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h] 2_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h] 2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h] 2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h] 2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h] 2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h] 2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h] 2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h] 2_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h] 2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h] 2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h] 2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h] 2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0337096E mov edx, dword ptr fs:[00000030h] 2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h] 2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h] 2_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h] 2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h] 2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h] 2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h] 2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h] 2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h] 2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h] 2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h] 2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h] 2_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h] 2_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h] 2_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h] 2_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h] 2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h] 2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h] 2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h] 2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h] 2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h] 2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h] 2_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h] 2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h] 2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h] 2_2_033BC810
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h] 2_2_033BE872
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_0072A66C
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007181AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007181AC
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00718189 SetUnhandledExceptionFilter, 0_2_00718189
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00ED53F0 SetUnhandledExceptionFilter, 5_2_00ED53F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_00ED51A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00ED51A0

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\NEW ORDER_.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 4056 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 4056 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: ED0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\NEW ORDER_.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2959008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072B106 LogonUserW, 0_2_0072B106
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_006F3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_006F3D19
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0073411C SendInput,keybd_event, 0_2_0073411C
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007374E7 mouse_event, 0_2_007374E7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEW ORDER_.exe" Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0072A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_0072A66C
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007371FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_007371FA
Source: NEW ORDER_.exe, explorer.exe, 00000004.00000002.2382306208.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2272662739.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2274146619.000000000901E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.1323862645.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.3748179691.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3753722338.0000000005180000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.1323862645.0000000001440000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: ?Program Manager
Source: explorer.exe, 00000004.00000000.1323423529.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2380190939.0000000000C59000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman
Source: NEW ORDER_.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: explorer.exe, 00000004.00000000.1323862645.0000000001440000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_007165C4 cpuid 0_2_007165C4
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0074091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 0_2_0074091D
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0076B340 GetUserNameW, 0_2_0076B340
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00721E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00721E8E
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0070DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0070DDC0
AV process strings found (often used to terminate AV products)
Source: explorer.exe, 0000000E.00000003.2510429618.000000000C7F2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3769483542.000000000C745000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2514697880.000000000C7FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: NEW ORDER_.exe Binary or memory string: WIN_81
Source: NEW ORDER_.exe Binary or memory string: WIN_XP
Source: NEW ORDER_.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: NEW ORDER_.exe Binary or memory string: WIN_XPe
Source: NEW ORDER_.exe Binary or memory string: WIN_VISTA
Source: NEW ORDER_.exe Binary or memory string: WIN_7
Source: NEW ORDER_.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW ORDER_.exe.3ab0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW ORDER_.exe.3ab0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1374290968.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3748101037.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3749816830.0000000003140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1373841275.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1320406705.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3749960996.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1374329870.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_00748C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00748C4F
Source: C:\Users\user\Desktop\NEW ORDER_.exe Code function: 0_2_0074923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_0074923B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560971 Sample: NEW ORDER_.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 32 www.reyhazeusa.shop 2->32 34 www.ostcanadantpl.top 2->34 36 3 other IPs or domains 2->36 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 7 other signatures 2->46 11 NEW ORDER_.exe 2 2->11         started        signatures3 process4 signatures5 58 Binary is likely a compiled AutoIt script file 11->58 60 Writes to foreign memory regions 11->60 62 Maps a DLL or memory area into another process 11->62 14 svchost.exe 11->14         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 3 other signatures 14->70 17 explorer.exe 30 1 14->17 injected process8 signatures9 38 Uses ipconfig to lookup or modify the Windows network settings 17->38 20 ipconfig.exe 17->20         started        23 WerFault.exe 21 17->23         started        process10 signatures11 48 Modifies the context of a thread in another process (thread injection) 20->48 50 Reads the DNS cache 20->50 52 Maps a DLL or memory area into another process 20->52 54 2 other signatures 20->54 25 explorer.exe 16 125 20->25         started        28 cmd.exe 1 20->28         started        process12 signatures13 56 Query firmware table information (likely to detect VMs) 25->56 30 conhost.exe 28->30         started        process14
No contacted IP infos

Contacted Domains

Name IP Active
www.acifictechnologycctv.net unknown unknown
www.reyhazeusa.shop unknown unknown
www.ostcanadantpl.top unknown unknown
api.msn.com unknown unknown
www.ood-packaging-jobs-brasil.today unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.9net88.net/ge07/ false
    		high