Windows Analysis Report
DHL SHIPMENT NOTIFICATION 1146789443.exe

Overview

General Information

Sample Name: DHL SHIPMENT NOTIFICATION 1146789443.exe
Analysis ID: 626119
MD5: 8fbdf9f70b21179d87b83fe47b2137dd
SHA1: 146eebe16adad9486cac66f4574810cec1f56cbb
SHA256: 972bc525f6be5f7281a72ec4887cc5b85f4b064463bba234f1258c967b164026
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lgf7.com/amdf/"], "decoy": ["xadazheng.com", "bremorgan.com", "keilaniclothing.com", "du9a20ofolvhfr.xyz", "santamariacourt.com", "wcagls.com", "visionuptechnology.com", "sddysrq.com", "pencetslot.site", "wpcoisas.com", "caomei08.xyz", "infinitepotential.xyz", "anotherchanceranch.net", "ymterp.com", "zhuyunming.com", "elementarymodel.com", "edmondsonfinancial.com", "adsnethosting.com", "obohsan-souzokusindan.tech", "helicopterart.com", "shangnuanjia.com", "89660.world", "zkzxconsulting.com", "temp-bait.com", "8562.pet", "taojinwa.net", "chatterboxtwo.com", "pejoki.com", "effectual-science.com", "ma3721.com", "b498gszj.com", "sicuumon.com", "northwtb.com", "reconbattery.xyz", "sibirerzucht.com", "fusionpsychiatry.net", "biblicalguidance.net", "liquated99tic.com", "ruvinslimshop.com", "attjeans.com", "reservedadseyelevel.com", "theselungs.com", "safe-edd-centerhelp92.com", "provercoop.com", "216498.com", "bbqautopilot.com", "nurhurdacilik.com", "zo177.wales", "doublemsporthorses.com", "hl308.com", "movewhenyouwant.com", "smartinvestorsguide.com", "joga-wroclaw.com", "potionsparchment.com", "rtpholywin99.com", "sosocean.com", "vliralip.com", "alphaomegamerch.net", "pallettruckload.com", "spritzdao.xyz", "unbound-soul.com", "enssale.xyz", "capitalisllc.com", "ultrakill.xyz"]}
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Virustotal: Detection: 42% Perma Link
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe ReversingLabs: Detection: 48%
Source: Yara match File source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: http://www.rtpholywin99.com/amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx Avira URL Cloud: Label: malware
Source: www.lgf7.com/amdf/ Avira URL Cloud: Label: malware
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Joe Sandbox ML: detected
Source: 2.0.aeokw.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.aeokw.exe.12a0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.aeokw.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.aeokw.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.aeokw.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\mvbaz\xgpqcu\xwqn\f27888ddf02c4c6aa9eb1b8f5b3a0302\rlifld\nwoxnqyr\Release\nwoxnqyr.pdb source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmp, aeokw.exe, 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000001.00000000.249383523.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, svchost.exe, 00000011.00000002.515611102.000000000352F000.00000004.10000000.00040000.00000000.sdmp, nsk2671.tmp.0.dr, aeokw.exe.0.dr
Source: Binary string: wntdll.pdbUGP source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 4x nop then pop ebx 2_2_00407B1B
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 4x nop then pop edi 2_2_0040E472
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop ebx 17_2_02387B1B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 17_2_0238E472

Networking

barindex
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ultrakill.xyz
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.250.185.115 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rtpholywin99.com
Source: C:\Windows\explorer.exe Domain query: www.keilaniclothing.com
Source: C:\Windows\explorer.exe DNS query: www.ultrakill.xyz
Source: Malware configuration extractor URLs: www.lgf7.com/amdf/
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: global traffic HTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx HTTP/1.1Host: www.rtpholywin99.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU HTTP/1.1Host: www.keilaniclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh HTTP/1.1Host: www.ultrakill.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: Joe Sandbox View IP Address: 23.227.38.74 23.227.38.74
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 13 May 2022 14:10:37 GMTX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: GSEAccept-Ranges: noneVary: Accept-EncodingTransfer-Encoding: chunkedConnection: closeData Raw: 62 31 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 6c 6f 67 67 65 72 20 69 73 20 61 20 62 6c 6f 67 20 70 75 62 6c 69 73 68 69 6e 67 20 74 6f 6f 6c 20 66 72 6f 6d 20 47 6f 6f 67 6c 65 20 66 6f 72 20 65 61 73 69 6c 79 20 73 68 61 72 69 6e 67 20 79 6f 75 72 20 74 68 6f 75 67 68 74 73 20 77 69 74 68 20 74 68 65 20 77 6f 72 6c 64 2e 20 42 6c 6f 67 67 65 72 20 6d 61 6b 65 73 20 69 74 20 73 69 6d 70 6c 65 20 74 6f 20 70 6f 73 74 20 74 65 78 74 2c 20 70 68 6f 74 6f 73 20 61 6e 64 20 76 69 64 65 6f 20 6f 6e 74 6f 20 79 6f 75 72 20 70 65 72 73 6f 6e 61 6c 20 6f 72 20 74 65 61 6d 20 62 6c 6f 67 2e 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 62 6c 6f 67 67 65 72 2c 20 62 6c 6f 67 73 70 6f 74 2c 20 62 6c 6f 67 2c 20 62 6c 6f 67 67 65 72 2e 63 6f 6d 2c 20 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2c 20 70 65 72 73 6f 6e 61 6c 20 62 6c 6f 67 2c 20 77 65 62 6c 6f 67 2c 20 63 72 65 61 74 65 20 62 6c 6f 67 2c 20 6e 65 77 20 62 6c 6f 67 22 3e 0a 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 23 68 6f 6d 65 42 75 74 74 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 32 37 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 76 31 2f 76 2d 63 73 73 2f 33 38 39 36 35 35 38 36 37 33 2d 6e 65 77 5f 75 69 5f 73 74 61 74 69 63 5f 70 61 67 65 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6c 61 6e 67 5f 65 6e 20 72 62 22 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 13 May 2022 14:10:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 250X-Sorting-Hat-ShopId: 64045383931X-Dc: gcp-europe-west1X-Request-ID: c795f513-2a89-4e29-a885-b65e0c1175bdX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 70abfb06ecb2917d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: svchost.exe, 00000011.00000002.515898561.0000000003A1F000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.ultrakill.xyz/
Source: unknown DNS traffic detected: queries for: www.rtpholywin99.com
Source: global traffic HTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx HTTP/1.1Host: www.rtpholywin99.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU HTTP/1.1Host: www.keilaniclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh HTTP/1.1Host: www.ultrakill.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040580F

E-Banking Fraud

barindex
Source: Yara match File source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D71890 1_2_00D71890
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D77E88 1_2_00D77E88
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D796A0 1_2_00D796A0
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D79C12 1_2_00D79C12
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D7B3F1 1_2_00D7B3F1
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D7A184 1_2_00D7A184
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D7C3BD 1_2_00D7C3BD
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041E28A 2_2_0041E28A
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041EBD9 2_2_0041EBD9
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041E3E9 2_2_0041E3E9
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041D563 2_2_0041D563
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00409E4B 2_2_00409E4B
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00409E50 2_2_00409E50
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041DE6E 2_2_0041DE6E
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041DFE4 2_2_0041DFE4
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D71890 2_2_00D71890
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D7A184 2_2_00D7A184
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D7B3F1 2_2_00D7B3F1
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D79C12 2_2_00D79C12
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D77E88 2_2_00D77E88
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D796A0 2_2_00D796A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F2B28 17_2_030F2B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304AB40 17_2_0304AB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305EBB0 17_2_0305EBB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E03DA 17_2_030E03DA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EDBD2 17_2_030EDBD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305ABD8 17_2_0305ABD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030DFA2B 17_2_030DFA2B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F22AE 17_2_030F22AE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302F900 17_2_0302F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03044120 17_2_03044120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1002 17_2_030E1002
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030FE824 17_2_030FE824
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A830 17_2_0304A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303B090 17_2_0303B090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030520A0 17_2_030520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F20A8 17_2_030F20A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F28EC 17_2_030F28EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030FDFCE 17_2_030FDFCE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F1FF1 17_2_030F1FF1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030ED616 17_2_030ED616
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03046E30 17_2_03046E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F2EF7 17_2_030F2EF7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F2D07 17_2_030F2D07
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03020D20 17_2_03020D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F1D55 17_2_030F1D55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052581 17_2_03052581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F25DD 17_2_030F25DD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303D5E0 17_2_0303D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303841F 17_2_0303841F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030ED466 17_2_030ED466
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239EBD9 17_2_0239EBD9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_02389E50 17_2_02389E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_02389E4B 17_2_02389E4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_02382FB0 17_2_02382FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_02382D90 17_2_02382D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_02382D87 17_2_02382D87
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0302B150 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: String function: 00D72400 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: String function: 00D74599 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041A320 NtCreateFile, 2_2_0041A320
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041A3D0 NtReadFile, 2_2_0041A3D0
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041A450 NtClose, 2_2_0041A450
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041A500 NtAllocateVirtualMemory, 2_2_0041A500
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041A31F NtCreateFile, 2_2_0041A31F
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041A3CE NtReadFile, 2_2_0041A3CE
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041A4FB NtAllocateVirtualMemory, 2_2_0041A4FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069A50 NtCreateFile,LdrInitializeThunk, 17_2_03069A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_03069910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030699A0 NtCreateSection,LdrInitializeThunk, 17_2_030699A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069840 NtDelayExecution,LdrInitializeThunk, 17_2_03069840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_03069860
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069710 NtQueryInformationToken,LdrInitializeThunk, 17_2_03069710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069780 NtMapViewOfSection,LdrInitializeThunk, 17_2_03069780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069FE0 NtCreateMutant,LdrInitializeThunk, 17_2_03069FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069650 NtQueryValueKey,LdrInitializeThunk, 17_2_03069650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_03069660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030696D0 NtCreateKey,LdrInitializeThunk, 17_2_030696D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030696E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_030696E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069540 NtReadFile,LdrInitializeThunk, 17_2_03069540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030695D0 NtClose,LdrInitializeThunk, 17_2_030695D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069B00 NtSetValueKey, 17_2_03069B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0306A3B0 NtGetContextThread, 17_2_0306A3B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069A00 NtProtectVirtualMemory, 17_2_03069A00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069A10 NtQuerySection, 17_2_03069A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069A20 NtResumeThread, 17_2_03069A20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069A80 NtOpenDirectoryObject, 17_2_03069A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069950 NtQueueApcThread, 17_2_03069950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030699D0 NtCreateProcessEx, 17_2_030699D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069820 NtEnumerateKey, 17_2_03069820
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0306B040 NtSuspendThread, 17_2_0306B040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030698A0 NtWriteVirtualMemory, 17_2_030698A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030698F0 NtReadVirtualMemory, 17_2_030698F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0306A710 NtOpenProcessToken, 17_2_0306A710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069730 NtQueryVirtualMemory, 17_2_03069730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069760 NtOpenProcess, 17_2_03069760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0306A770 NtOpenThread, 17_2_0306A770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069770 NtSetInformationFile, 17_2_03069770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030697A0 NtUnmapViewOfSection, 17_2_030697A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069610 NtEnumerateValueKey, 17_2_03069610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069670 NtQueryInformationProcess, 17_2_03069670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069520 NtWaitForSingleObject, 17_2_03069520
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0306AD30 NtSetContextThread, 17_2_0306AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03069560 NtWriteFile, 17_2_03069560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030695F0 NtQueryInformationFile, 17_2_030695F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239A320 NtCreateFile, 17_2_0239A320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239A3D0 NtReadFile, 17_2_0239A3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239A450 NtClose, 17_2_0239A450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239A500 NtAllocateVirtualMemory, 17_2_0239A500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239A31F NtCreateFile, 17_2_0239A31F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239A3CE NtReadFile, 17_2_0239A3CE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239A4FB NtAllocateVirtualMemory, 17_2_0239A4FB
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Virustotal: Detection: 42%
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File read: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Jump to behavior
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe"
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Process created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Process created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File created: C:\Users\user\AppData\Local\Temp\nsk2670.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/4@3/3
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404ABB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\mvbaz\xgpqcu\xwqn\f27888ddf02c4c6aa9eb1b8f5b3a0302\rlifld\nwoxnqyr\Release\nwoxnqyr.pdb source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmp, aeokw.exe, 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000001.00000000.249383523.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, svchost.exe, 00000011.00000002.515611102.000000000352F000.00000004.10000000.00040000.00000000.sdmp, nsk2671.tmp.0.dr, aeokw.exe.0.dr
Source: Binary string: wntdll.pdbUGP source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D72445 push ecx; ret 1_2_00D72458
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00401026 push 5DA8CC51h; iretd 2_2_0040102E
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041E8F5 pushad ; ret 2_2_0041E8FA
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0040E32E push ebx; ret 2_2_0040E32F
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041D4CB push eax; ret 2_2_0041D532
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0041D52C push eax; ret 2_2_0041D532
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D72445 push ecx; ret 2_2_00D72458
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0307D0D1 push ecx; ret 17_2_0307D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0238E32E push ebx; ret 17_2_0238E32F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239E8F5 pushad ; ret 17_2_0239E8FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239D475 push eax; ret 17_2_0239D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239D4CB push eax; ret 17_2_0239D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239D4C2 push eax; ret 17_2_0239D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0239D52C push eax; ret 17_2_0239D532
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File created: C:\Users\user\AppData\Local\Temp\aeokw.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE6
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D71890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00D71890
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000002389904 second address: 000000000238990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000002389B6E second address: 0000000002389B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\explorer.exe TID: 6084 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2312 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 7.7 %
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000005.00000000.346368110.00000000051AC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.305531432.000000000546A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: =b\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.303730790.00000000051D2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.290260130.0000000005EAB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.303730790.00000000051D2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
Source: explorer.exe, 00000005.00000000.268351234.000000000510C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0cY
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D77A95 IsDebuggerPresent, 1_2_00D77A95
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D7558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_00D7558A
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D786ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_00D786ED
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h] 17_2_0304A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E131B mov eax, dword ptr fs:[00000030h] 17_2_030E131B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302DB40 mov eax, dword ptr fs:[00000030h] 17_2_0302DB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F8B58 mov eax, dword ptr fs:[00000030h] 17_2_030F8B58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302F358 mov eax, dword ptr fs:[00000030h] 17_2_0302F358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302DB60 mov ecx, dword ptr fs:[00000030h] 17_2_0302DB60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03053B7A mov eax, dword ptr fs:[00000030h] 17_2_03053B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03053B7A mov eax, dword ptr fs:[00000030h] 17_2_03053B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E138A mov eax, dword ptr fs:[00000030h] 17_2_030E138A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03031B8F mov eax, dword ptr fs:[00000030h] 17_2_03031B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03031B8F mov eax, dword ptr fs:[00000030h] 17_2_03031B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030DD380 mov ecx, dword ptr fs:[00000030h] 17_2_030DD380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052397 mov eax, dword ptr fs:[00000030h] 17_2_03052397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305B390 mov eax, dword ptr fs:[00000030h] 17_2_0305B390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h] 17_2_03054BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h] 17_2_03054BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h] 17_2_03054BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F5BA5 mov eax, dword ptr fs:[00000030h] 17_2_030F5BA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A53CA mov eax, dword ptr fs:[00000030h] 17_2_030A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A53CA mov eax, dword ptr fs:[00000030h] 17_2_030A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h] 17_2_030503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h] 17_2_030503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h] 17_2_030503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h] 17_2_030503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h] 17_2_030503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h] 17_2_030503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304DBE9 mov eax, dword ptr fs:[00000030h] 17_2_0304DBE9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03038A0A mov eax, dword ptr fs:[00000030h] 17_2_03038A0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03025210 mov eax, dword ptr fs:[00000030h] 17_2_03025210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03025210 mov ecx, dword ptr fs:[00000030h] 17_2_03025210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03025210 mov eax, dword ptr fs:[00000030h] 17_2_03025210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03025210 mov eax, dword ptr fs:[00000030h] 17_2_03025210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302AA16 mov eax, dword ptr fs:[00000030h] 17_2_0302AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302AA16 mov eax, dword ptr fs:[00000030h] 17_2_0302AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03043A1C mov eax, dword ptr fs:[00000030h] 17_2_03043A1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EAA16 mov eax, dword ptr fs:[00000030h] 17_2_030EAA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EAA16 mov eax, dword ptr fs:[00000030h] 17_2_030EAA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03064A2C mov eax, dword ptr fs:[00000030h] 17_2_03064A2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03064A2C mov eax, dword ptr fs:[00000030h] 17_2_03064A2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h] 17_2_0304A229
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03029240 mov eax, dword ptr fs:[00000030h] 17_2_03029240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03029240 mov eax, dword ptr fs:[00000030h] 17_2_03029240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03029240 mov eax, dword ptr fs:[00000030h] 17_2_03029240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03029240 mov eax, dword ptr fs:[00000030h] 17_2_03029240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EEA55 mov eax, dword ptr fs:[00000030h] 17_2_030EEA55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030B4257 mov eax, dword ptr fs:[00000030h] 17_2_030B4257
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030DB260 mov eax, dword ptr fs:[00000030h] 17_2_030DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030DB260 mov eax, dword ptr fs:[00000030h] 17_2_030DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F8A62 mov eax, dword ptr fs:[00000030h] 17_2_030F8A62
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0306927A mov eax, dword ptr fs:[00000030h] 17_2_0306927A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305D294 mov eax, dword ptr fs:[00000030h] 17_2_0305D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305D294 mov eax, dword ptr fs:[00000030h] 17_2_0305D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h] 17_2_030252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h] 17_2_030252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h] 17_2_030252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h] 17_2_030252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h] 17_2_030252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303AAB0 mov eax, dword ptr fs:[00000030h] 17_2_0303AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303AAB0 mov eax, dword ptr fs:[00000030h] 17_2_0303AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305FAB0 mov eax, dword ptr fs:[00000030h] 17_2_0305FAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052ACB mov eax, dword ptr fs:[00000030h] 17_2_03052ACB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052AE4 mov eax, dword ptr fs:[00000030h] 17_2_03052AE4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03029100 mov eax, dword ptr fs:[00000030h] 17_2_03029100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03029100 mov eax, dword ptr fs:[00000030h] 17_2_03029100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03029100 mov eax, dword ptr fs:[00000030h] 17_2_03029100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03044120 mov eax, dword ptr fs:[00000030h] 17_2_03044120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03044120 mov eax, dword ptr fs:[00000030h] 17_2_03044120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03044120 mov eax, dword ptr fs:[00000030h] 17_2_03044120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03044120 mov eax, dword ptr fs:[00000030h] 17_2_03044120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03044120 mov ecx, dword ptr fs:[00000030h] 17_2_03044120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305513A mov eax, dword ptr fs:[00000030h] 17_2_0305513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305513A mov eax, dword ptr fs:[00000030h] 17_2_0305513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304B944 mov eax, dword ptr fs:[00000030h] 17_2_0304B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304B944 mov eax, dword ptr fs:[00000030h] 17_2_0304B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302C962 mov eax, dword ptr fs:[00000030h] 17_2_0302C962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302B171 mov eax, dword ptr fs:[00000030h] 17_2_0302B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302B171 mov eax, dword ptr fs:[00000030h] 17_2_0302B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305A185 mov eax, dword ptr fs:[00000030h] 17_2_0305A185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304C182 mov eax, dword ptr fs:[00000030h] 17_2_0304C182
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052990 mov eax, dword ptr fs:[00000030h] 17_2_03052990
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030561A0 mov eax, dword ptr fs:[00000030h] 17_2_030561A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030561A0 mov eax, dword ptr fs:[00000030h] 17_2_030561A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h] 17_2_030E49A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h] 17_2_030E49A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h] 17_2_030E49A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h] 17_2_030E49A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A69A6 mov eax, dword ptr fs:[00000030h] 17_2_030A69A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h] 17_2_030A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h] 17_2_030A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h] 17_2_030A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h] 17_2_030A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov eax, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov eax, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov eax, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030499BF mov eax, dword ptr fs:[00000030h] 17_2_030499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030B41E8 mov eax, dword ptr fs:[00000030h] 17_2_030B41E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0302B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0302B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0302B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F4015 mov eax, dword ptr fs:[00000030h] 17_2_030F4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F4015 mov eax, dword ptr fs:[00000030h] 17_2_030F4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h] 17_2_030A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h] 17_2_030A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h] 17_2_030A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305002D mov eax, dword ptr fs:[00000030h] 17_2_0305002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305002D mov eax, dword ptr fs:[00000030h] 17_2_0305002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305002D mov eax, dword ptr fs:[00000030h] 17_2_0305002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305002D mov eax, dword ptr fs:[00000030h] 17_2_0305002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305002D mov eax, dword ptr fs:[00000030h] 17_2_0305002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h] 17_2_0303B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h] 17_2_0303B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h] 17_2_0303B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h] 17_2_0303B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h] 17_2_0304A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h] 17_2_0304A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h] 17_2_0304A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h] 17_2_0304A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03040050 mov eax, dword ptr fs:[00000030h] 17_2_03040050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03040050 mov eax, dword ptr fs:[00000030h] 17_2_03040050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F1074 mov eax, dword ptr fs:[00000030h] 17_2_030F1074
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E2073 mov eax, dword ptr fs:[00000030h] 17_2_030E2073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03029080 mov eax, dword ptr fs:[00000030h] 17_2_03029080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A3884 mov eax, dword ptr fs:[00000030h] 17_2_030A3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A3884 mov eax, dword ptr fs:[00000030h] 17_2_030A3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h] 17_2_030520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h] 17_2_030520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h] 17_2_030520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h] 17_2_030520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h] 17_2_030520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h] 17_2_030520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030690AF mov eax, dword ptr fs:[00000030h] 17_2_030690AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305F0BF mov ecx, dword ptr fs:[00000030h] 17_2_0305F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305F0BF mov eax, dword ptr fs:[00000030h] 17_2_0305F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305F0BF mov eax, dword ptr fs:[00000030h] 17_2_0305F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_030BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BB8D0 mov ecx, dword ptr fs:[00000030h] 17_2_030BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_030BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_030BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_030BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_030BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304B8E4 mov eax, dword ptr fs:[00000030h] 17_2_0304B8E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304B8E4 mov eax, dword ptr fs:[00000030h] 17_2_0304B8E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h] 17_2_030240E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h] 17_2_030240E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h] 17_2_030240E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030258EC mov eax, dword ptr fs:[00000030h] 17_2_030258EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F070D mov eax, dword ptr fs:[00000030h] 17_2_030F070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F070D mov eax, dword ptr fs:[00000030h] 17_2_030F070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305A70E mov eax, dword ptr fs:[00000030h] 17_2_0305A70E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305A70E mov eax, dword ptr fs:[00000030h] 17_2_0305A70E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304F716 mov eax, dword ptr fs:[00000030h] 17_2_0304F716
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BFF10 mov eax, dword ptr fs:[00000030h] 17_2_030BFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BFF10 mov eax, dword ptr fs:[00000030h] 17_2_030BFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03024F2E mov eax, dword ptr fs:[00000030h] 17_2_03024F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03024F2E mov eax, dword ptr fs:[00000030h] 17_2_03024F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305E730 mov eax, dword ptr fs:[00000030h] 17_2_0305E730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304B73D mov eax, dword ptr fs:[00000030h] 17_2_0304B73D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304B73D mov eax, dword ptr fs:[00000030h] 17_2_0304B73D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303EF40 mov eax, dword ptr fs:[00000030h] 17_2_0303EF40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303FF60 mov eax, dword ptr fs:[00000030h] 17_2_0303FF60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F8F6A mov eax, dword ptr fs:[00000030h] 17_2_030F8F6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03038794 mov eax, dword ptr fs:[00000030h] 17_2_03038794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h] 17_2_030A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h] 17_2_030A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h] 17_2_030A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030637F5 mov eax, dword ptr fs:[00000030h] 17_2_030637F5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h] 17_2_0302C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h] 17_2_0302C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h] 17_2_0302C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03058E00 mov eax, dword ptr fs:[00000030h] 17_2_03058E00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1608 mov eax, dword ptr fs:[00000030h] 17_2_030E1608
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305A61C mov eax, dword ptr fs:[00000030h] 17_2_0305A61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305A61C mov eax, dword ptr fs:[00000030h] 17_2_0305A61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302E620 mov eax, dword ptr fs:[00000030h] 17_2_0302E620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030DFE3F mov eax, dword ptr fs:[00000030h] 17_2_030DFE3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h] 17_2_03037E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h] 17_2_03037E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h] 17_2_03037E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h] 17_2_03037E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h] 17_2_03037E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h] 17_2_03037E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EAE44 mov eax, dword ptr fs:[00000030h] 17_2_030EAE44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EAE44 mov eax, dword ptr fs:[00000030h] 17_2_030EAE44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303766D mov eax, dword ptr fs:[00000030h] 17_2_0303766D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h] 17_2_0304AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h] 17_2_0304AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h] 17_2_0304AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h] 17_2_0304AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h] 17_2_0304AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BFE87 mov eax, dword ptr fs:[00000030h] 17_2_030BFE87
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h] 17_2_030F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h] 17_2_030F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h] 17_2_030F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A46A7 mov eax, dword ptr fs:[00000030h] 17_2_030A46A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03068EC7 mov eax, dword ptr fs:[00000030h] 17_2_03068EC7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030536CC mov eax, dword ptr fs:[00000030h] 17_2_030536CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030DFEC0 mov eax, dword ptr fs:[00000030h] 17_2_030DFEC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F8ED6 mov eax, dword ptr fs:[00000030h] 17_2_030F8ED6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030376E2 mov eax, dword ptr fs:[00000030h] 17_2_030376E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030516E0 mov ecx, dword ptr fs:[00000030h] 17_2_030516E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0302AD30 mov eax, dword ptr fs:[00000030h] 17_2_0302AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h] 17_2_03033D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EE539 mov eax, dword ptr fs:[00000030h] 17_2_030EE539
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F8D34 mov eax, dword ptr fs:[00000030h] 17_2_030F8D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030AA537 mov eax, dword ptr fs:[00000030h] 17_2_030AA537
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h] 17_2_03054D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h] 17_2_03054D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h] 17_2_03054D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03063D43 mov eax, dword ptr fs:[00000030h] 17_2_03063D43
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A3540 mov eax, dword ptr fs:[00000030h] 17_2_030A3540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030D3D40 mov eax, dword ptr fs:[00000030h] 17_2_030D3D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03047D50 mov eax, dword ptr fs:[00000030h] 17_2_03047D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304C577 mov eax, dword ptr fs:[00000030h] 17_2_0304C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304C577 mov eax, dword ptr fs:[00000030h] 17_2_0304C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052581 mov eax, dword ptr fs:[00000030h] 17_2_03052581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052581 mov eax, dword ptr fs:[00000030h] 17_2_03052581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052581 mov eax, dword ptr fs:[00000030h] 17_2_03052581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03052581 mov eax, dword ptr fs:[00000030h] 17_2_03052581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h] 17_2_03022D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h] 17_2_03022D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h] 17_2_03022D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h] 17_2_03022D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h] 17_2_03022D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305FD9B mov eax, dword ptr fs:[00000030h] 17_2_0305FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305FD9B mov eax, dword ptr fs:[00000030h] 17_2_0305FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F05AC mov eax, dword ptr fs:[00000030h] 17_2_030F05AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F05AC mov eax, dword ptr fs:[00000030h] 17_2_030F05AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030535A1 mov eax, dword ptr fs:[00000030h] 17_2_030535A1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h] 17_2_03051DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h] 17_2_03051DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h] 17_2_03051DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_030A6DC9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_030A6DC9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_030A6DC9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6DC9 mov ecx, dword ptr fs:[00000030h] 17_2_030A6DC9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_030A6DC9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_030A6DC9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303D5E0 mov eax, dword ptr fs:[00000030h] 17_2_0303D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303D5E0 mov eax, dword ptr fs:[00000030h] 17_2_0303D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h] 17_2_030EFDE2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h] 17_2_030EFDE2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h] 17_2_030EFDE2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h] 17_2_030EFDE2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030D8DF1 mov eax, dword ptr fs:[00000030h] 17_2_030D8DF1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h] 17_2_030A6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h] 17_2_030A6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h] 17_2_030A6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h] 17_2_030A6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F740D mov eax, dword ptr fs:[00000030h] 17_2_030F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F740D mov eax, dword ptr fs:[00000030h] 17_2_030F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F740D mov eax, dword ptr fs:[00000030h] 17_2_030F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h] 17_2_030E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305BC2C mov eax, dword ptr fs:[00000030h] 17_2_0305BC2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305A44B mov eax, dword ptr fs:[00000030h] 17_2_0305A44B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BC450 mov eax, dword ptr fs:[00000030h] 17_2_030BC450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030BC450 mov eax, dword ptr fs:[00000030h] 17_2_030BC450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0304746D mov eax, dword ptr fs:[00000030h] 17_2_0304746D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h] 17_2_0305AC7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_0303849B mov eax, dword ptr fs:[00000030h] 17_2_0303849B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030F8CD6 mov eax, dword ptr fs:[00000030h] 17_2_030F8CD6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030E14FB mov eax, dword ptr fs:[00000030h] 17_2_030E14FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h] 17_2_030A6CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h] 17_2_030A6CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h] 17_2_030A6CF0
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_0040ACE0 LdrLoadDll, 2_2_0040ACE0
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D743CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00D743CC
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D7439B SetUnhandledExceptionFilter, 1_2_00D7439B
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D743CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00D743CC
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 2_2_00D7439B SetUnhandledExceptionFilter, 2_2_00D7439B

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ultrakill.xyz
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.250.185.115 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rtpholywin99.com
Source: C:\Windows\explorer.exe Domain query: www.keilaniclothing.com
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 2F0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Thread register set: target process: 3616 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 3616 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Process created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.290054860.0000000005E60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.299103436.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.263202422.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager,
Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.263202422.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D73283 cpuid 1_2_00D73283
Source: C:\Users\user\AppData\Local\Temp\aeokw.exe Code function: 1_2_00D73EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00D73EC8
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646

Stealing of Sensitive Information

barindex
Source: Yara match File source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs