Edit tour

Windows Analysis Report
PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Overview

General Information

Sample name:	PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe
Analysis ID:	1636035
MD5:	68762e74deeb08af82928e46079e3221
SHA1:	ff473cf51c0c91ac8558a8079e2ec97a2efbddef
SHA256:	7cef1a4c70f2ee9c816acb54ec61313be6f6d02931db9f857e9f6618a86a2646
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe" MD5: 68762E74DEEB08AF82928E46079E3221)

svchost.exe (PID: 2184 cmdline: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

autofmt.exe (PID: 1848 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)

NETSTAT.EXE (PID: 3888 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)

cmd.exe (PID: 5664 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mnbeauty.net/hm26/"], "decoy": ["assaustreetcapitalplanning.info", "renddshop.shop", "pioxc.xyz", "andalend.xyz", "ulnmatrix.net", "rgent-loan-633032398.click", "aki-spin.casino", "ebbidy.app", "ouse136.click", "ubyx.digital", "oveworldquick.sbs", "uantiv.art", "sassrgaceeytp.digital", "unsetvistahotels.net", "ngfuwlofip.bond", "eautyservicesrc.info", "rops-newser456.sbs", "hatushyamcraneservice.online", "icisuo6.pro", "ypherpunkpress.xyz", "rbitswaves.info", "reenmounttravel.online", "xvideos.red", "uskdeveloper.xyz", "et1000.biz", "volvedirectivesolutions.info", "ental-implants-89727.bond", "niliidd.irish", "ssisted-living-5.bond", "estfreshmove.sbs", "nepf.bid", "imalayanscent.shop", "edralb.irish", "cskftyn.biz", "one.shop", "qhelp.live", "k5004.casino", "ynonymnetwork.xyz", "ortop-corp.net", "nsold-cars-tribe.today", "endon.cloud", "nkywords6598.shop", "xbeykozharunyakar.shop", "erratech.tech", "tikahshafie.cloud", "8068.locker", "tair-lift-65694.bond", "eagleinsuranceplans.fun", "antx.buzz", "ewtym.shop", "rlinker.xyz", "ealthcare-trends-76690.bond", "earfat.shop", "58-pet-funeral-services-14.cfd", "reamsquad11fantasy.shop", "deadirectiveconsultinghub.info", "mniscientnews.xyz", "alamalaenava.shop", "atvikxtt.tech", "oberwayenergy.net", "gmstudio.net", "etsumamoto.pro", "wiftcarcare.net", "ultigenius.xyz"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.3313873944.0000000010CBA000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa72:$a2: pass 0xa78:$a3: email 0xa7f:$a4: login 0xa86:$a5: signin 0xa97:$a6: persistent 0xc6a:$r1: C:\Users\user\AppData\Roaming\LL07669B\LL0log.ini
00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17809:$sqlite3step: 68 34 1C 7B E1 0x1791c:$sqlite3step: 68 34 1C 7B E1 0x17838:$sqlite3text: 68 38 2A 90 C5 0x1795d:$sqlite3text: 68 38 2A 90 C5 0x1784b:$sqlite3blob: 68 53 D8 7F 8C 0x17973:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe PID: 6968	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x101c85:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 2184	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xf6952:$a1: 3C 30 50 4F 53 54 74 09 40 0x134ccc:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 3888	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x255:$a1: 3C 30 50 4F 53 54 74 09 40 0x82b8a:$a1: 3C 30 50 4F 53 54 74 09 40 0x121502:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
2.2.svchost.exe.2710000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.2710000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.2710000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.2710000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.2710000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe", CommandLine: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe", ParentImage: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, ParentProcessId: 6968, ParentProcessName: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, ProcessCommandLine: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe", ProcessId: 2184, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe", CommandLine: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe", ParentImage: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, ParentProcessId: 6968, ParentProcessName: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, ProcessCommandLine: "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe", ProcessId: 2184, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T10:32:52.074829+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.8	49693	185.88.181.17	80	TCP
2025-03-12T10:33:33.090593+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.8	49694	5.196.134.71	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Avira: detected

Found malware configuration

Source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.mnbeauty.net/hm26/"], "decoy": ["assaustreetcapitalplanning.info", "renddshop.shop", "pioxc.xyz", "andalend.xyz", "ulnmatrix.net", "rgent-loan-633032398.click", "aki-spin.casino", "ebbidy.app", "ouse136.click", "ubyx.digital", "oveworldquick.sbs", "uantiv.art", "sassrgaceeytp.digital", "unsetvistahotels.net", "ngfuwlofip.bond", "eautyservicesrc.info", "rops-newser456.sbs", "hatushyamcraneservice.online", "icisuo6.pro", "ypherpunkpress.xyz", "rbitswaves.info", "reenmounttravel.online", "xvideos.red", "uskdeveloper.xyz", "et1000.biz", "volvedirectivesolutions.info", "ental-implants-89727.bond", "niliidd.irish", "ssisted-living-5.bond", "estfreshmove.sbs", "nepf.bid", "imalayanscent.shop", "edralb.irish", "cskftyn.biz", "one.shop", "qhelp.live", "k5004.casino", "ynonymnetwork.xyz", "ortop-corp.net", "nsold-cars-tribe.today", "endon.cloud", "nkywords6598.shop", "xbeykozharunyakar.shop", "erratech.tech", "tikahshafie.cloud", "8068.locker", "tair-lift-65694.bond", "eagleinsuranceplans.fun", "antx.buzz", "ewtym.shop", "rlinker.xyz", "ealthcare-trends-76690.bond", "earfat.shop", "58-pet-funeral-services-14.cfd", "reamsquad11fantasy.shop", "deadirectiveconsultinghub.info", "mniscientnews.xyz", "alamalaenava.shop", "atvikxtt.tech", "oberwayenergy.net", "gmstudio.net", "etsumamoto.pro", "wiftcarcare.net", "ultigenius.xyz"]}

Multi AV Scanner detection for submitted file

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Virustotal: Detection: 49%			Perma Link
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	ReversingLabs: Detection: 52%

Yara detected FormBook

Source: Yara match	File source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: netstat.pdbGCTL source: svchost.exe, 00000002.00000002.894632128.0000000003080000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.893846981.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3296971298.0000000000C70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: svchost.exe, 00000002.00000002.894632128.0000000003080000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.893846981.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000002.3296971298.0000000000C70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.839198954.0000000003780000.00000004.00001000.00020000.00000000.sdmp, PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.841143297.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.841239989.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.842908930.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.894723174.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.894723174.0000000003100000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.894304896.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3297780201.000000000317E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3297780201.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.896029471.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.839198954.0000000003780000.00000004.00001000.00020000.00000000.sdmp, PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.841143297.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.841239989.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.842908930.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.894723174.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.894723174.0000000003100000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000003.894304896.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3297780201.000000000317E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3297780201.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.896029471.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3313518455.000000001041F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3299270717.000000000352F000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3295932656.0000000000922000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3313518455.000000001041F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3299270717.000000000352F000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3295932656.0000000000922000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004B449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004B449B
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BC75D FindFirstFileW,FindClose,	0_2_004BC75D
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004BC7E8
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004BF021
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004BF17E
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004BF47F
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004B3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004B3833
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004B3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004B3B56
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004BBD48

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49693 -> 185.88.181.17:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49693 -> 185.88.181.17:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49693 -> 185.88.181.17:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49694 -> 5.196.134.71:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49694 -> 5.196.134.71:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49694 -> 5.196.134.71:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.mnbeauty.net/hm26/

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"

Source: global traffic	HTTP traffic detected: GET /hm26/?N48hp6=QJs3sJTGMcBH/U65Jq+Lp0dgaD+y06DxWjOhvONMXbh7c+M4qKZx+IgAfXBep4WvyUzy&iBZ=B8_XPLt0A8lxM HTTP/1.1Host: www.xvideos.redConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hm26/?N48hp6=sLmOsUmwi0K/WVN8T+ezbFEeo08B1ruw74ZQ74wQBXaSXhRnHKZaQ6qfROZWw6BAvxn1&iBZ=B8_XPLt0A8lxM HTTP/1.1Host: www.gmstudio.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203
Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004C2404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004C2404

Source: global traffic	HTTP traffic detected: GET /hm26/?N48hp6=QJs3sJTGMcBH/U65Jq+Lp0dgaD+y06DxWjOhvONMXbh7c+M4qKZx+IgAfXBep4WvyUzy&iBZ=B8_XPLt0A8lxM HTTP/1.1Host: www.xvideos.redConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hm26/?N48hp6=sLmOsUmwi0K/WVN8T+ezbFEeo08B1ruw74ZQ74wQBXaSXhRnHKZaQ6qfROZWw6BAvxn1&iBZ=B8_XPLt0A8lxM HTTP/1.1Host: www.gmstudio.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.niliidd.irish
Source: global traffic	DNS traffic detected: DNS query: www.oberwayenergy.net
Source: global traffic	DNS traffic detected: DNS query: www.mnbeauty.net
Source: global traffic	DNS traffic detected: DNS query: www.xvideos.red
Source: global traffic	DNS traffic detected: DNS query: www.nsold-cars-tribe.today
Source: global traffic	DNS traffic detected: DNS query: www.gmstudio.net
Source: global traffic	DNS traffic detected: DNS query: www.erratech.tech
Source: global traffic	DNS traffic detected: DNS query: www.k5004.casino
Source: global traffic	DNS traffic detected: DNS query: www.nkywords6598.shop
Source: global traffic	DNS traffic detected: DNS query: www.rops-newser456.sbs
Source: global traffic	DNS traffic detected: DNS query: www.ebbidy.app

Source: explorer.exe, 00000003.00000002.3305246112.0000000007498000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.851459888.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.853473247.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2623687053.0000000007491000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.855397204.000000000974B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000003.00000002.3305246112.0000000007498000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.851459888.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.853473247.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2623687053.0000000007491000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.855397204.000000000974B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.3305246112.0000000007498000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.851459888.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.853473247.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2623687053.0000000007491000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.855397204.000000000974B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.3307140059.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.855397204.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: explorer.exe, 00000003.00000002.3312526699.000000000C429000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2629501760.000000000C427000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075868381.000000000C429000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2623993964.000000000C41B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000003.00000002.3305812631.0000000007940000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3306584880.00000000086A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.855068556.0000000008680000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebbidy.app
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebbidy.app/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebbidy.app/hm26/www.ngfuwlofip.bond
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebbidy.appReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erratech.tech
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erratech.tech/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erratech.tech/hm26/www.k5004.casino
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erratech.techReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.et1000.biz
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.et1000.biz/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.et1000.biz/hm26/www.etsumamoto.pro
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.et1000.bizReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.etsumamoto.pro
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.etsumamoto.pro/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.etsumamoto.pro/hm26/www.ouse136.click
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.etsumamoto.proReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gmstudio.net
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gmstudio.net/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gmstudio.net/hm26/www.pioxc.xyz
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gmstudio.netReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.k5004.casino
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.k5004.casino/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.k5004.casino/hm26/www.nkywords6598.shop
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.k5004.casinoReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mnbeauty.net
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mnbeauty.net/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mnbeauty.net/hm26/www.xvideos.red
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mnbeauty.netReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ngfuwlofip.bond
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ngfuwlofip.bond/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ngfuwlofip.bond/hm26/www.et1000.biz
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ngfuwlofip.bondReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.niliidd.irish
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.niliidd.irish/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.niliidd.irish/hm26/www.oberwayenergy.net
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.niliidd.irishReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nkywords6598.shop
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nkywords6598.shop/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nkywords6598.shop/hm26/www.rops-newser456.sbs
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nkywords6598.shopReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nsold-cars-tribe.today
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nsold-cars-tribe.today/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nsold-cars-tribe.today/hm26/www.gmstudio.net
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nsold-cars-tribe.todayReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oberwayenergy.net
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oberwayenergy.net/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oberwayenergy.net/hm26/www.mnbeauty.net
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oberwayenergy.netReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ouse136.click
Source: explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ouse136.click/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ouse136.clickReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pioxc.xyz
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pioxc.xyz/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pioxc.xyz/hm26/www.erratech.tech
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pioxc.xyzReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rops-newser456.sbs
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rops-newser456.sbs/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rops-newser456.sbs/hm26/www.ebbidy.app
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rops-newser456.sbsReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xvideos.red
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xvideos.red/hm26/
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xvideos.red/hm26/www.nsold-cars-tribe.today
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627735739.000000000C2E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3312127581.000000000C2E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xvideos.redReferer:
Source: explorer.exe, 00000003.00000003.2624553514.000000000C251000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.857915276.000000000C20B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3311940501.000000000C258000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075520055.000000000C251000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppON
Source: explorer.exe, 00000003.00000000.857915276.000000000C20B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.857915276.000000000C20B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSS
Source: explorer.exe, 00000003.00000000.857915276.000000000C20B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSS64
Source: explorer.exe, 00000003.00000000.857915276.000000000C20B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS~g
Source: explorer.exe, 00000003.00000000.855397204.00000000095B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000002.3307140059.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.855397204.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3307140059.00000000096C4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.855397204.00000000096C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000003.00000002.3307140059.0000000009741000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000003.00000000.857915276.000000000C20B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3311940501.000000000C20B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627553686.000000000C20B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000003.00000000.857915276.000000000C20B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3311940501.000000000C20B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627553686.000000000C20B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.coms
Source: explorer.exe, 00000003.00000000.857915276.000000000C1CD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3311301585.000000000C1CD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comeer6
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.3311301585.000000000C12B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.857915276.000000000C12B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000003.00000000.857915276.000000000C20B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3311940501.000000000C20B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2627553686.000000000C20B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000003.00000000.853473247.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

Network traffic detected: HTTP traffic on port 49671 -> 443

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004C407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004C407C

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004C427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004C427A

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

0_2_004C407C

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004B003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_004B003A

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004DCB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004DCB26

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3313873944.0000000010CBA000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 2184, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 3888, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00453B4C
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000000.829314429.0000000000504000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e3966a21-b
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000000.829314429.0000000000504000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_da703dac-d
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_34d68325-c
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_f5fdc89a-5

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172B60 NtClose,LdrInitializeThunk,	2_2_03172B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03172BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AD0 NtReadFile,LdrInitializeThunk,	2_2_03172AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F30 NtCreateSection,LdrInitializeThunk,	2_2_03172F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03172F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FB0 NtResumeThread,LdrInitializeThunk,	2_2_03172FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FE0 NtCreateFile,LdrInitializeThunk,	2_2_03172FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03172E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03172EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03172D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03172D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03172DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03172DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03172C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03172CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03174340 NtSetContextThread,	2_2_03174340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03174650 NtSuspendThread,	2_2_03174650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172B80 NtQueryInformationFile,	2_2_03172B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BA0 NtEnumerateValueKey,	2_2_03172BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BE0 NtQueryValueKey,	2_2_03172BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AB0 NtWaitForSingleObject,	2_2_03172AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AF0 NtWriteFile,	2_2_03172AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F60 NtCreateProcessEx,	2_2_03172F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FA0 NtQuerySection,	2_2_03172FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172E30 NtWriteVirtualMemory,	2_2_03172E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172EE0 NtQueueApcThread,	2_2_03172EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D00 NtSetInformationFile,	2_2_03172D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DB0 NtEnumerateKey,	2_2_03172DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C00 NtQueryInformationProcess,	2_2_03172C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C60 NtCreateKey,	2_2_03172C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CC0 NtQueryVirtualMemory,	2_2_03172CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CF0 NtOpenProcess,	2_2_03172CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173010 NtOpenDirectoryObject,	2_2_03173010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173090 NtSetValueKey,	2_2_03173090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031735C0 NtCreateMutant,	2_2_031735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031739B0 NtGetContextThread,	2_2_031739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173D10 NtOpenProcessToken,	2_2_03173D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173D70 NtOpenThread,	2_2_03173D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272A320 NtCreateFile,	2_2_0272A320
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272A3D0 NtReadFile,	2_2_0272A3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272A450 NtClose,	2_2_0272A450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272A500 NtAllocateVirtualMemory,	2_2_0272A500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	2_2_030BA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA042 NtQueryInformationProcess,	2_2_030BA042
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA3E12 NtProtectVirtualMemory,	3_2_10CA3E12
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA2232 NtCreateFile,	3_2_10CA2232
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA3E0A NtProtectVirtualMemory,	3_2_10CA3E0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052B60 NtClose,LdrInitializeThunk,	5_2_03052B60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_03052BE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03052BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052AD0 NtReadFile,LdrInitializeThunk,	5_2_03052AD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052F30 NtCreateSection,LdrInitializeThunk,	5_2_03052F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052FE0 NtCreateFile,LdrInitializeThunk,	5_2_03052FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_03052EA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_03052D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052DD0 NtDelayExecution,LdrInitializeThunk,	5_2_03052DD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03052DF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052C60 NtCreateKey,LdrInitializeThunk,	5_2_03052C60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03052C70
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_03052CA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030535C0 NtCreateMutant,LdrInitializeThunk,	5_2_030535C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03054340 NtSetContextThread,	5_2_03054340
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03054650 NtSuspendThread,	5_2_03054650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052B80 NtQueryInformationFile,	5_2_03052B80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052BA0 NtEnumerateValueKey,	5_2_03052BA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052AB0 NtWaitForSingleObject,	5_2_03052AB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052AF0 NtWriteFile,	5_2_03052AF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052F60 NtCreateProcessEx,	5_2_03052F60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052F90 NtProtectVirtualMemory,	5_2_03052F90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052FA0 NtQuerySection,	5_2_03052FA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052FB0 NtResumeThread,	5_2_03052FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052E30 NtWriteVirtualMemory,	5_2_03052E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052E80 NtReadVirtualMemory,	5_2_03052E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052EE0 NtQueueApcThread,	5_2_03052EE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052D00 NtSetInformationFile,	5_2_03052D00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052D30 NtUnmapViewOfSection,	5_2_03052D30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052DB0 NtEnumerateKey,	5_2_03052DB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052C00 NtQueryInformationProcess,	5_2_03052C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052CC0 NtQueryVirtualMemory,	5_2_03052CC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03052CF0 NtOpenProcess,	5_2_03052CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03053010 NtOpenDirectoryObject,	5_2_03053010
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03053090 NtSetValueKey,	5_2_03053090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030539B0 NtGetContextThread,	5_2_030539B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03053D10 NtOpenProcessToken,	5_2_03053D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03053D70 NtOpenThread,	5_2_03053D70
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005DA320 NtCreateFile,	5_2_005DA320
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005DA3D0 NtReadFile,	5_2_005DA3D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005DA450 NtClose,	5_2_005DA450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005DA500 NtAllocateVirtualMemory,	5_2_005DA500
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D89BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	5_2_02D89BAF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D8A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	5_2_02D8A036
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D89BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_02D89BB2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D8A042 NtQueryInformationProcess,	5_2_02D8A042

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004BA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_004BA279

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004A8638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004A8638

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004B5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004B5264

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0045E800	0_2_0045E800
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0047DAF5	0_2_0047DAF5
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0045E060	0_2_0045E060
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00464140	0_2_00464140
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00472345	0_2_00472345
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00486452	0_2_00486452
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004D0465	0_2_004D0465
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004825AE	0_2_004825AE
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0047277A	0_2_0047277A
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00466841	0_2_00466841
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004D08E2	0_2_004D08E2
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00468968	0_2_00468968
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0048890F	0_2_0048890F
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004AE928	0_2_004AE928
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004B8932	0_2_004B8932
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004869C4	0_2_004869C4
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0047CCA1	0_2_0047CCA1
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00486F36	0_2_00486F36
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004670FE	0_2_004670FE
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00463190	0_2_00463190
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00451287	0_2_00451287
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0047F359	0_2_0047F359
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00473307	0_2_00473307
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00471604	0_2_00471604
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00465680	0_2_00465680
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00477813	0_2_00477813
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004658C0	0_2_004658C0
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00471AF8	0_2_00471AF8
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00489C35	0_2_00489C35
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0045FE40	0_2_0045FE40
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004D7E0D	0_2_004D7E0D
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00471F10	0_2_00471F10
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0047BF26	0_2_0047BF26
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00E43620	0_2_00E43620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA352	2_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032003E6	2_2_032003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C02C0	2_2_031C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130100	2_2_03130100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C8158	2_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032001AA	2_2_032001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F81CC	2_2_031F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164750	2_2_03164750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313C7C0	2_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315C6E0	2_2_0315C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03200591	2_2_03200591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4420	2_2_031E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F2446	2_2_031F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EE4F6	2_2_031EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FAB40	2_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F6BD7	2_2_031F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320A9A6	2_2_0320A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314A840	2_2_0314A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03142840	2_2_03142840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031268B8	2_2_031268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E8F0	2_2_0316E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160F30	2_2_03160F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E2F30	2_2_031E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03182F28	2_2_03182F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4F40	2_2_031B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BEFA0	2_2_031BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132FC8	2_2_03132FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314CFE0	2_2_0314CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FEE26	2_2_031FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140E59	2_2_03140E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152E90	2_2_03152E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FCE93	2_2_031FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FEEDB	2_2_031FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DCD1F	2_2_031DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314AD00	2_2_0314AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03158DBF	2_2_03158DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313ADE0	2_2_0313ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140C00	2_2_03140C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0CB5	2_2_031E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130CF2	2_2_03130CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F132D	2_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312D34C	2_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0318739A	2_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031452A0	2_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315B2C0	2_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E12ED	2_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320B16B	2_2_0320B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312F172	2_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317516C	2_2_0317516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314B1B0	2_2_0314B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EF0CC	2_2_031EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031470C0	2_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F70E9	2_2_031F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF0E0	2_2_031FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF7B0	2_2_031FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F16CC	2_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7571	2_2_031F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DD5B0	2_2_031DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF43F	2_2_031FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03131460	2_2_03131460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFB76	2_2_031FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315FB80	2_2_0315FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B5BF0	2_2_031B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317DBF9	2_2_0317DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFA49	2_2_031FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7A46	2_2_031F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B3A6C	2_2_031B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DDAAC	2_2_031DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03185AA0	2_2_03185AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E1AA3	2_2_031E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EDAC6	2_2_031EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D5910	2_2_031D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03149950	2_2_03149950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315B950	2_2_0315B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AD800	2_2_031AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031438E0	2_2_031438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFF09	2_2_031FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03141F92	2_2_03141F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFFB1	2_2_031FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03149EB0	2_2_03149EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F1D5A	2_2_031F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03143D40	2_2_03143D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7D73	2_2_031F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315FDC0	2_2_0315FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B9C32	2_2_031B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFCF2	2_2_031FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272C3A6	2_2_0272C3A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272E190	2_2_0272E190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272EB51	2_2_0272EB51
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272E819	2_2_0272E819
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02712FB0	2_2_02712FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02712D90	2_2_02712D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02712D87	2_2_02712D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02711030	2_2_02711030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272D563	2_2_0272D563
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272D873	2_2_0272D873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02719E50	2_2_02719E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02719E4C	2_2_02719E4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272DC42	2_2_0272DC42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272DD5A	2_2_0272DD5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA036	2_2_030BA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BB232	2_2_030BB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B1082	2_2_030B1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE5CD	2_2_030BE5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5B32	2_2_030B5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5B30	2_2_030B5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8912	2_2_030B8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2D02	2_2_030B2D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E921232	3_2_0E921232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E91BB30	3_2_0E91BB30
Source: C:\Windows\explorer.exe	Code function: 3_2_0E91BB32	3_2_0E91BB32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E917082	3_2_0E917082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E920036	3_2_0E920036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E9245CD	3_2_0E9245CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0E91E912	3_2_0E91E912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E918D02	3_2_0E918D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA2232	3_2_10CA2232
Source: C:\Windows\explorer.exe	Code function: 3_2_10C98082	3_2_10C98082
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA1036	3_2_10CA1036
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA55CD	3_2_10CA55CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10C99D02	3_2_10C99D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10C9F912	3_2_10C9F912
Source: C:\Windows\explorer.exe	Code function: 3_2_10C9CB30	3_2_10C9CB30
Source: C:\Windows\explorer.exe	Code function: 3_2_10C9CB32	3_2_10C9CB32
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_00C72167	5_2_00C72167
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_00C71715	5_2_00C71715
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DA352	5_2_030DA352
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030E03E6	5_2_030E03E6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0302E3F0	5_2_0302E3F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030C0274	5_2_030C0274
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030A02C0	5_2_030A02C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03010100	5_2_03010100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030BA118	5_2_030BA118
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030A8158	5_2_030A8158
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030E01AA	5_2_030E01AA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D41A2	5_2_030D41A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D81CC	5_2_030D81CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030B2000	5_2_030B2000
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03044750	5_2_03044750
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03020770	5_2_03020770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0301C7C0	5_2_0301C7C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0303C6E0	5_2_0303C6E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03020535	5_2_03020535
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030E0591	5_2_030E0591
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030C4420	5_2_030C4420
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D2446	5_2_030D2446
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030CE4F6	5_2_030CE4F6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DAB40	5_2_030DAB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D6BD7	5_2_030D6BD7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0301EA80	5_2_0301EA80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03036962	5_2_03036962
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030229A0	5_2_030229A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030EA9A6	5_2_030EA9A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03022840	5_2_03022840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0302A840	5_2_0302A840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030068B8	5_2_030068B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0304E8F0	5_2_0304E8F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03062F28	5_2_03062F28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03040F30	5_2_03040F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030C2F30	5_2_030C2F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03094F40	5_2_03094F40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0309EFA0	5_2_0309EFA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03012FC8	5_2_03012FC8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0302CFE0	5_2_0302CFE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DEE26	5_2_030DEE26
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03020E59	5_2_03020E59
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03032E90	5_2_03032E90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DCE93	5_2_030DCE93
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DEEDB	5_2_030DEEDB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0302AD00	5_2_0302AD00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030BCD1F	5_2_030BCD1F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03038DBF	5_2_03038DBF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0301ADE0	5_2_0301ADE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03020C00	5_2_03020C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030C0CB5	5_2_030C0CB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03010CF2	5_2_03010CF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D132D	5_2_030D132D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0300D34C	5_2_0300D34C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0306739A	5_2_0306739A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030252A0	5_2_030252A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0303B2C0	5_2_0303B2C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030C12ED	5_2_030C12ED
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030EB16B	5_2_030EB16B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0305516C	5_2_0305516C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0300F172	5_2_0300F172
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0302B1B0	5_2_0302B1B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030CF0CC	5_2_030CF0CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030270C0	5_2_030270C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D70E9	5_2_030D70E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DF0E0	5_2_030DF0E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DF7B0	5_2_030DF7B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03065630	5_2_03065630
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D16CC	5_2_030D16CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D7571	5_2_030D7571
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030BD5B0	5_2_030BD5B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030E95C3	5_2_030E95C3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DF43F	5_2_030DF43F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03011460	5_2_03011460
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DFB76	5_2_030DFB76
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0303FB80	5_2_0303FB80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03095BF0	5_2_03095BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0305DBF9	5_2_0305DBF9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DFA49	5_2_030DFA49
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D7A46	5_2_030D7A46
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03093A6C	5_2_03093A6C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03065AA0	5_2_03065AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030BDAAC	5_2_030BDAAC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030C1AA3	5_2_030C1AA3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030CDAC6	5_2_030CDAC6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030B5910	5_2_030B5910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03029950	5_2_03029950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0303B950	5_2_0303B950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0308D800	5_2_0308D800
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030238E0	5_2_030238E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DFF09	5_2_030DFF09
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03021F92	5_2_03021F92
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DFFB1	5_2_030DFFB1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02FE3FD5	5_2_02FE3FD5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02FE3FD2	5_2_02FE3FD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03029EB0	5_2_03029EB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03023D40	5_2_03023D40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D1D5A	5_2_030D1D5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030D7D73	5_2_030D7D73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_0303FDC0	5_2_0303FDC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_03099C32	5_2_03099C32
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030DFCF2	5_2_030DFCF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005DC3A6	5_2_005DC3A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005DE819	5_2_005DE819
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005DEB51	5_2_005DEB51
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005C2D90	5_2_005C2D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005C2D87	5_2_005C2D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005C9E50	5_2_005C9E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005C9E4C	5_2_005C9E4C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_005C2FB0	5_2_005C2FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D8A036	5_2_02D8A036
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D8B232	5_2_02D8B232
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D85B30	5_2_02D85B30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D85B32	5_2_02D85B32
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D81082	5_2_02D81082
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D88912	5_2_02D88912
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D8E5CD	5_2_02D8E5CD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02D82D02	5_2_02D82D02

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 03055130 appears 58 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0309F290 appears 105 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0308EA12 appears 86 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 03067E54 appears 111 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0300B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0312B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03175130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03187E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031AEA12 appears 86 times
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: String function: 00470C63 appears 70 times
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: String function: 00478A80 appears 42 times
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: String function: 00457F41 appears 35 times

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.840361357.0000000003A4D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.838842030.00000000038A3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3313873944.0000000010CBA000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 2184, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 3888, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@118/2@11/3

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004BA0F4 GetLastError,FormatMessageW,

0_2_004BA0F4

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004A84F3 AdjustTokenPrivileges,CloseHandle,	0_2_004A84F3
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004A8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_004A8AA3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_00C71CFC GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,	5_2_00C71CFC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_00C71C89 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,	5_2_00C71C89

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004BB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004BB3BF

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004CEF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_004CEF21

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004BC423 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004BC423

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00454FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00454FE9

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

File created: C:\Users\user\AppData\Local\Temp\aut603E.tmp

Jump to behavior

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Virustotal: Detection: 49%
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe"
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: snmpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Static file information: File size 1078784 > 1048576

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: netstat.pdbGCTL source: svchost.exe, 00000002.00000002.894632128.0000000003080000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.893846981.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3296971298.0000000000C70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: svchost.exe, 00000002.00000002.894632128.0000000003080000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.893846981.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000002.3296971298.0000000000C70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.839198954.0000000003780000.00000004.00001000.00020000.00000000.sdmp, PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.841143297.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.841239989.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.842908930.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.894723174.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.894723174.0000000003100000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.894304896.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3297780201.000000000317E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3297780201.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.896029471.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.839198954.0000000003780000.00000004.00001000.00020000.00000000.sdmp, PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, 00000000.00000003.841143297.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.841239989.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.842908930.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.894723174.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.894723174.0000000003100000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000003.894304896.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3297780201.000000000317E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3297780201.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.896029471.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3313518455.000000001041F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3299270717.000000000352F000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3295932656.0000000000922000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3313518455.000000001041F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3299270717.000000000352F000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.3295932656.0000000000922000.00000004.00000020.00020000.00000000.sdmp

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004CC104 LoadLibraryA,GetProcAddress,

0_2_004CC104

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00478AC5 push ecx; ret	0_2_00478AD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD push ecx; mov dword ptr [esp], ecx	2_2_031309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272662E push 80DBA100h; retf	2_2_02726634
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02716E68 pushad ; iretd	2_2_02716E69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02727154 push ebx; iretd	2_2_02727156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272D475 push eax; ret	2_2_0272D4C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272D4C2 push eax; ret	2_2_0272D4C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272D4CB push eax; ret	2_2_0272D532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0272D52C push eax; ret	2_2_0272D532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02717935 push ebp; iretd	2_2_02717936
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEB02 push esp; retn 0000h	2_2_030BEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEB1E push esp; retn 0000h	2_2_030BEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9B5 push esp; retn 0000h	2_2_030BEAE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C0FB6 push eax; ret	2_2_030C0FB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C0FEF push ss; ret	2_2_030C0FF0
Source: C:\Windows\explorer.exe	Code function: 3_2_0E926FB6 push eax; ret	3_2_0E926FB8
Source: C:\Windows\explorer.exe	Code function: 3_2_0E926FEF push ss; ret	3_2_0E926FF0
Source: C:\Windows\explorer.exe	Code function: 3_2_0E924B1E push esp; retn 0000h	3_2_0E924B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0E924B02 push esp; retn 0000h	3_2_0E924B03
Source: C:\Windows\explorer.exe	Code function: 3_2_0E9249B5 push esp; retn 0000h	3_2_0E924AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA7FEF push ss; ret	3_2_10CA7FF0
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA7FB6 push eax; ret	3_2_10CA7FB8
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA59B5 push esp; retn 0000h	3_2_10CA5AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA5B02 push esp; retn 0000h	3_2_10CA5B03
Source: C:\Windows\explorer.exe	Code function: 3_2_10CA5B1E push esp; retn 0000h	3_2_10CA5B1F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_00C760DD push ecx; ret	5_2_00C760F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02FE225F pushad ; ret	5_2_02FE27F9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02FE27FA pushad ; ret	5_2_02FE27F9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_030109AD push ecx; mov dword ptr [esp], ecx	5_2_030109B6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02FE283D push eax; iretd	5_2_02FE2858
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_02FE1368 push eax; iretd	5_2_02FE1369

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00454A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00454A35
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004D53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004D53DF

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00473307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00473307

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	API/Special instruction interceptor: Address: E43244
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF9B762D324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF9B7630774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF9B7630154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF9B762D8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF9B762DA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF9B762D1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B762D324
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B7630774
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B762D944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B762D504
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B762D544
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B762D1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B7630154
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B762D8A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF9B762DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 2719904 second address: 271990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 2719B6E second address: 2719B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 5C9904 second address: 5C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 5C9B6E second address: 5C9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0317096E rdtsc

2_2_0317096E

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8781	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1170	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Window / User API: threadDelayed 9834	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98663

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	API coverage: 5.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.1 %
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API coverage: 2.0 %

Source: C:\Windows\explorer.exe TID: 6896	Thread sleep count: 8781 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6896	Thread sleep time: -17562000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6896	Thread sleep count: 1170 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6896	Thread sleep time: -2340000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5608	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5608	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5608	Thread sleep count: 9834 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5608	Thread sleep time: -19668000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004B449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004B449B
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BC75D FindFirstFileW,FindClose,	0_2_004BC75D
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004BC7E8
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004BF021
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004BF17E
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004BF47F
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004B3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004B3833
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004B3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004B3B56
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004BBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004BBD48

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00454AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00454AFE

Source: explorer.exe, 00000003.00000000.851459888.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000003.00000000.852563514.00000000031ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000bb'
Source: explorer.exe, 00000003.00000000.856097071.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000003.00000003.2625911286.00000000098F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}CA
Source: explorer.exe, 00000003.00000000.856097071.0000000009840000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000003.2622496794.000000000974B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00_
Source: explorer.exe, 00000003.00000000.851459888.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000_
Source: explorer.exe, 00000003.00000000.856097071.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000003.00000000.855397204.00000000095B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3307140059.00000000095B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt mouse
Source: explorer.exe, 00000003.00000000.852563514.00000000031A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001
Source: explorer.exe, 00000003.00000002.3307140059.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.855397204.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3307140059.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.855397204.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000003.3075936356.000000000986D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000000.852563514.00000000031A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000003.00000000.851459888.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ji
Source: explorer.exe, 00000003.00000000.851459888.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o
Source: explorer.exe, 00000003.00000002.3311301585.000000000C1CD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA`m
Source: explorer.exe, 00000003.00000000.856097071.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3302776679.0000000007386000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0317096E rdtsc

2_2_0317096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03172B60 NtClose,LdrInitializeThunk,

2_2_03172B60

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004C401F BlockInput,

0_2_004C401F

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00453B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00453B4C

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00485BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00485BFC

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004CC104 LoadLibraryA,GetProcAddress,

0_2_004CC104

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00E434B0 mov eax, dword ptr fs:[00000030h]	0_2_00E434B0
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00E43510 mov eax, dword ptr fs:[00000030h]	0_2_00E43510
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_00E41E70 mov eax, dword ptr fs:[00000030h]	0_2_00E41E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C310 mov ecx, dword ptr fs:[00000030h]	2_2_0312C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150310 mov ecx, dword ptr fs:[00000030h]	2_2_03150310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov ecx, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA352 mov eax, dword ptr fs:[00000030h]	2_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D8350 mov ecx, dword ptr fs:[00000030h]	2_2_031D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D437C mov eax, dword ptr fs:[00000030h]	2_2_031D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]	2_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]	2_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D43D4 mov eax, dword ptr fs:[00000030h]	2_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D43D4 mov eax, dword ptr fs:[00000030h]	2_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC3CD mov eax, dword ptr fs:[00000030h]	2_2_031EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B63C0 mov eax, dword ptr fs:[00000030h]	2_2_031B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031663FF mov eax, dword ptr fs:[00000030h]	2_2_031663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312823B mov eax, dword ptr fs:[00000030h]	2_2_0312823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A250 mov eax, dword ptr fs:[00000030h]	2_2_0312A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136259 mov eax, dword ptr fs:[00000030h]	2_2_03136259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA250 mov eax, dword ptr fs:[00000030h]	2_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA250 mov eax, dword ptr fs:[00000030h]	2_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B8243 mov eax, dword ptr fs:[00000030h]	2_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B8243 mov ecx, dword ptr fs:[00000030h]	2_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312826B mov eax, dword ptr fs:[00000030h]	2_2_0312826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]	2_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]	2_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]	2_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]	2_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov ecx, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F0115 mov eax, dword ptr fs:[00000030h]	2_2_031F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160124 mov eax, dword ptr fs:[00000030h]	2_2_03160124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C156 mov eax, dword ptr fs:[00000030h]	2_2_0312C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C8158 mov eax, dword ptr fs:[00000030h]	2_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]	2_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]	2_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov ecx, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03170185 mov eax, dword ptr fs:[00000030h]	2_2_03170185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]	2_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]	2_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4180 mov eax, dword ptr fs:[00000030h]	2_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4180 mov eax, dword ptr fs:[00000030h]	2_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032061E5 mov eax, dword ptr fs:[00000030h]	2_2_032061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]	2_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]	2_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031601F8 mov eax, dword ptr fs:[00000030h]	2_2_031601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4000 mov ecx, dword ptr fs:[00000030h]	2_2_031B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6030 mov eax, dword ptr fs:[00000030h]	2_2_031C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A020 mov eax, dword ptr fs:[00000030h]	2_2_0312A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C020 mov eax, dword ptr fs:[00000030h]	2_2_0312C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132050 mov eax, dword ptr fs:[00000030h]	2_2_03132050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6050 mov eax, dword ptr fs:[00000030h]	2_2_031B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315C073 mov eax, dword ptr fs:[00000030h]	2_2_0315C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313208A mov eax, dword ptr fs:[00000030h]	2_2_0313208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F60B8 mov eax, dword ptr fs:[00000030h]	2_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C80A8 mov eax, dword ptr fs:[00000030h]	2_2_031C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B20DE mov eax, dword ptr fs:[00000030h]	2_2_031B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0312C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031720F0 mov ecx, dword ptr fs:[00000030h]	2_2_031720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0312A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031380E9 mov eax, dword ptr fs:[00000030h]	2_2_031380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B60E0 mov eax, dword ptr fs:[00000030h]	2_2_031B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130710 mov eax, dword ptr fs:[00000030h]	2_2_03130710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160710 mov eax, dword ptr fs:[00000030h]	2_2_03160710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C700 mov eax, dword ptr fs:[00000030h]	2_2_0316C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov ecx, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AC730 mov eax, dword ptr fs:[00000030h]	2_2_031AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]	2_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]	2_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130750 mov eax, dword ptr fs:[00000030h]	2_2_03130750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE75D mov eax, dword ptr fs:[00000030h]	2_2_031BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]	2_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]	2_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4755 mov eax, dword ptr fs:[00000030h]	2_2_031B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov esi, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138770 mov eax, dword ptr fs:[00000030h]	2_2_03138770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D678E mov eax, dword ptr fs:[00000030h]	2_2_031D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031307AF mov eax, dword ptr fs:[00000030h]	2_2_031307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E47A0 mov eax, dword ptr fs:[00000030h]	2_2_031E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B07C3 mov eax, dword ptr fs:[00000030h]	2_2_031B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]	2_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]	2_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_031BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172619 mov eax, dword ptr fs:[00000030h]	2_2_03172619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE609 mov eax, dword ptr fs:[00000030h]	2_2_031AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E627 mov eax, dword ptr fs:[00000030h]	2_2_0314E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03166620 mov eax, dword ptr fs:[00000030h]	2_2_03166620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168620 mov eax, dword ptr fs:[00000030h]	2_2_03168620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313262C mov eax, dword ptr fs:[00000030h]	2_2_0313262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314C640 mov eax, dword ptr fs:[00000030h]	2_2_0314C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03162674 mov eax, dword ptr fs:[00000030h]	2_2_03162674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]	2_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]	2_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]	2_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]	2_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]	2_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]	2_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031666B0 mov eax, dword ptr fs:[00000030h]	2_2_031666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0316C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B06F1 mov eax, dword ptr fs:[00000030h]	2_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B06F1 mov eax, dword ptr fs:[00000030h]	2_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6500 mov eax, dword ptr fs:[00000030h]	2_2_031C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138550 mov eax, dword ptr fs:[00000030h]	2_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138550 mov eax, dword ptr fs:[00000030h]	2_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E59C mov eax, dword ptr fs:[00000030h]	2_2_0316E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132582 mov eax, dword ptr fs:[00000030h]	2_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132582 mov ecx, dword ptr fs:[00000030h]	2_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164588 mov eax, dword ptr fs:[00000030h]	2_2_03164588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031545B1 mov eax, dword ptr fs:[00000030h]	2_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031545B1 mov eax, dword ptr fs:[00000030h]	2_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031365D0 mov eax, dword ptr fs:[00000030h]	2_2_031365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E5CF mov eax, dword ptr fs:[00000030h]	2_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E5CF mov eax, dword ptr fs:[00000030h]	2_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031325E0 mov eax, dword ptr fs:[00000030h]	2_2_031325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C5ED mov eax, dword ptr fs:[00000030h]	2_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C5ED mov eax, dword ptr fs:[00000030h]	2_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A430 mov eax, dword ptr fs:[00000030h]	2_2_0316A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C427 mov eax, dword ptr fs:[00000030h]	2_2_0312C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA456 mov eax, dword ptr fs:[00000030h]	2_2_031EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312645D mov eax, dword ptr fs:[00000030h]	2_2_0312645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315245A mov eax, dword ptr fs:[00000030h]	2_2_0315245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC460 mov ecx, dword ptr fs:[00000030h]	2_2_031BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA49A mov eax, dword ptr fs:[00000030h]	2_2_031EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031644B0 mov ecx, dword ptr fs:[00000030h]	2_2_031644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_031BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031364AB mov eax, dword ptr fs:[00000030h]	2_2_031364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031304E5 mov ecx, dword ptr fs:[00000030h]	2_2_031304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EB20 mov eax, dword ptr fs:[00000030h]	2_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EB20 mov eax, dword ptr fs:[00000030h]	2_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F8B28 mov eax, dword ptr fs:[00000030h]	2_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F8B28 mov eax, dword ptr fs:[00000030h]	2_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEB50 mov eax, dword ptr fs:[00000030h]	2_2_031DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4B4B mov eax, dword ptr fs:[00000030h]	2_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4B4B mov eax, dword ptr fs:[00000030h]	2_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6B40 mov eax, dword ptr fs:[00000030h]	2_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6B40 mov eax, dword ptr fs:[00000030h]	2_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FAB40 mov eax, dword ptr fs:[00000030h]	2_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D8B42 mov eax, dword ptr fs:[00000030h]	2_2_031D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312CB7E mov eax, dword ptr fs:[00000030h]	2_2_0312CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140BBE mov eax, dword ptr fs:[00000030h]	2_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140BBE mov eax, dword ptr fs:[00000030h]	2_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_031DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EBFC mov eax, dword ptr fs:[00000030h]	2_2_0315EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_031BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BCA11 mov eax, dword ptr fs:[00000030h]	2_2_031BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03154A35 mov eax, dword ptr fs:[00000030h]	2_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03154A35 mov eax, dword ptr fs:[00000030h]	2_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA38 mov eax, dword ptr fs:[00000030h]	2_2_0316CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA24 mov eax, dword ptr fs:[00000030h]	2_2_0316CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EA2E mov eax, dword ptr fs:[00000030h]	2_2_0315EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140A5B mov eax, dword ptr fs:[00000030h]	2_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140A5B mov eax, dword ptr fs:[00000030h]	2_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031ACA72 mov eax, dword ptr fs:[00000030h]	2_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031ACA72 mov eax, dword ptr fs:[00000030h]	2_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEA60 mov eax, dword ptr fs:[00000030h]	2_2_031DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168A90 mov edx, dword ptr fs:[00000030h]	2_2_03168A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204A80 mov eax, dword ptr fs:[00000030h]	2_2_03204A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138AA0 mov eax, dword ptr fs:[00000030h]	2_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138AA0 mov eax, dword ptr fs:[00000030h]	2_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186AA4 mov eax, dword ptr fs:[00000030h]	2_2_03186AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130AD0 mov eax, dword ptr fs:[00000030h]	2_2_03130AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164AD0 mov eax, dword ptr fs:[00000030h]	2_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164AD0 mov eax, dword ptr fs:[00000030h]	2_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316AAEE mov eax, dword ptr fs:[00000030h]	2_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316AAEE mov eax, dword ptr fs:[00000030h]	2_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC912 mov eax, dword ptr fs:[00000030h]	2_2_031BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128918 mov eax, dword ptr fs:[00000030h]	2_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128918 mov eax, dword ptr fs:[00000030h]	2_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE908 mov eax, dword ptr fs:[00000030h]	2_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE908 mov eax, dword ptr fs:[00000030h]	2_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B892A mov eax, dword ptr fs:[00000030h]	2_2_031B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C892B mov eax, dword ptr fs:[00000030h]	2_2_031C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0946 mov eax, dword ptr fs:[00000030h]	2_2_031B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4978 mov eax, dword ptr fs:[00000030h]	2_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4978 mov eax, dword ptr fs:[00000030h]	2_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC97C mov eax, dword ptr fs:[00000030h]	2_2_031BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov eax, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov edx, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov eax, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov esi, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov eax, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov eax, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD mov eax, dword ptr fs:[00000030h]	2_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD mov eax, dword ptr fs:[00000030h]	2_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031649D0 mov eax, dword ptr fs:[00000030h]	2_2_031649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_031FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C69C0 mov eax, dword ptr fs:[00000030h]	2_2_031C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031629F9 mov eax, dword ptr fs:[00000030h]	2_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031629F9 mov eax, dword ptr fs:[00000030h]	2_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_031BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC810 mov eax, dword ptr fs:[00000030h]	2_2_031BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov ecx, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A830 mov eax, dword ptr fs:[00000030h]	2_2_0316A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D483A mov eax, dword ptr fs:[00000030h]	2_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D483A mov eax, dword ptr fs:[00000030h]	2_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160854 mov eax, dword ptr fs:[00000030h]	2_2_03160854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134859 mov eax, dword ptr fs:[00000030h]	2_2_03134859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134859 mov eax, dword ptr fs:[00000030h]	2_2_03134859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03142840 mov ecx, dword ptr fs:[00000030h]	2_2_03142840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE872 mov eax, dword ptr fs:[00000030h]	2_2_031BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE872 mov eax, dword ptr fs:[00000030h]	2_2_031BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6870 mov eax, dword ptr fs:[00000030h]	2_2_031C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6870 mov eax, dword ptr fs:[00000030h]	2_2_031C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC89D mov eax, dword ptr fs:[00000030h]	2_2_031BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130887 mov eax, dword ptr fs:[00000030h]	2_2_03130887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0315E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0316C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0316C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_031FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132F12 mov eax, dword ptr fs:[00000030h]	2_2_03132F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CF1F mov eax, dword ptr fs:[00000030h]	2_2_0316CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E6F00 mov eax, dword ptr fs:[00000030h]	2_2_031E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EF28 mov eax, dword ptr fs:[00000030h]	2_2_0315EF28

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004A81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_004A81D4

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0047A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0047A2D5
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_0047A2A4 SetUnhandledExceptionFilter,	0_2_0047A2A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_00C75DC0 SetUnhandledExceptionFilter,	5_2_00C75DC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_00C75C30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00C75C30

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4056			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 4056			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: C70000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 41A008

Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Code function: memset,OpenProcess,K32GetModuleBaseNameW,CompareStringW,CompareStringW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,K32GetModuleBaseNameW,CloseHandle,LocalFree,FreeLibrary, svchost.exe

5_2_00C738D2

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004A8A73 LogonUserW,

0_2_004A8A73

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00453B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00453B4C

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00454A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00454A35

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004B4CCE mouse_event,

0_2_004B4CCE

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

0_2_004A81D4

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004B4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004B4A08

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.851790615.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3297220506.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe, explorer.exe, 00000003.00000000.851790615.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.2625911286.000000000988B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.851790615.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3295843768.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297220506.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.851790615.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3297220506.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004787AB cpuid

0_2_004787AB

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00485007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00485007

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_0049215F GetUserNameW,

0_2_0049215F

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_004840BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_004840BA

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Code function: 0_2_00454AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00454AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Binary or memory string: WIN_81
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Binary or memory string: WIN_XP
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Binary or memory string: WIN_XPe
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Binary or memory string: WIN_VISTA
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Binary or memory string: WIN_7
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Binary or memory string: WIN_8
Source: PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe.17f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3295469220.00000000005C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296651683.0000000000BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.841980287.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894587889.0000000003050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894477972.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296308616.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.894090641.0000000002711000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004C6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_004C6399
Source: C:\Users\user\Desktop\PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe	Code function: 0_2_004C685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004C685D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 5_2_00C74B96 fprintf,GetUdpStatisticsEx,GetIpStatisticsEx,SnmpUtilMemAlloc,fprintf,fprintf,SnmpUtilMemFree,fprintf,fprintf,SnmpUtilMemAlloc,SnmpUtilOidCpy,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,GetIcmpStatisticsEx,GetTcpStatisticsEx,	5_2_00C74B96

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	522 Process Injection	2 Valid Accounts	LSA Secrets	215 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	251 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	522 Process Injection	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
PURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exe