Windows Analysis Report
Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Overview

General Information

Sample name:	Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe
Analysis ID:	1435817
MD5:	943efcacb9b6e31fd1fb06603641f259
SHA1:	0556c77bab07dd97230df5ebff60b38298e79f25
SHA256:	99ad43415d3fce1de4b15b26893f60e126645f028602a7a0fff9432b99403433
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Found malware configuration

Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cincinnatisoup.com/se63/"], "decoy": ["socratesandhisclouds.com", "versioncolor.com", "ytcp011.com", "908511.vip", "egysrvs.com", "ky5682011.cc", "kkuu14.icu", "wavebsb.com", "klikadelivery.com", "jnbxbpq.com", "5o8oh.us", "hemule.net", "techinf.xyz", "bevage.club", "we37h.com", "tipsde.shop", "48136.vip", "bestcampertrailerbrands.com", "fairmedics.in", "quixonic.tech", "aldcr.in", "drepeacewp.com", "odty914.net", "live2move.us", "galeriaspognardi.com", "danauslot.shop", "usapubpong.com", "jingchen.xyz", "xztyvk.xyz", "butimarproductions.com", "wuhangyjs.com", "baddogdigital.com", "mb28apparel.com", "bnkk9o3zrgsy5.quest", "playsolutionsinc.com", "warriors4earth.com", "gastric-balloon-71533.bond", "adptgn.com", "psicologiaparausted.com", "gothecleaningpros.com", "xnc8ki.vip", "908511.vip", "ozr3np.com", "tradingbase.cloud", "36h9.com", "iaobet.net", "6902470365.com", "qasolvers.in", "00047.vip", "massiverole.shop", "used-cars-66201.bond", "baisexual.com", "shoreswimschool.com", "shrike.foo", "shemosservicesllc.net", "electric-cars-97134.bond", "aicryptochain.com", "wg5688.com", "nomades.digital", "thesiamesebetta.store", "abbymartz.com", "kimsnailsii.top", "producepatch.shop", "ebridgereal.site"]}

Multi AV Scanner detection for submitted file

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	ReversingLabs: Detection: 39%
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Virustotal: Detection: 33%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: WWAHost.pdb source: svchost.exe, 00000002.00000003.2132631234.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2132489099.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2135117487.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000004.00000002.3345986724.0000000000300000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: WWAHost.pdbUGP source: svchost.exe, 00000002.00000003.2132631234.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2132489099.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2135117487.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3345986724.0000000000300000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062048793.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2061915416.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2064082070.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081720047.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.000000000371E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2134008026.0000000002FE8000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.0000000003580000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2138554462.00000000033D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062048793.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2061915416.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2064082070.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081720047.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000004.00000002.3347022446.000000000371E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2134008026.0000000002FE8000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.0000000003580000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2138554462.00000000033D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3361543576.000000001097F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347535891.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3346535807.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3361543576.000000001097F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347535891.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3346535807.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FDDBBE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FAC2A2 FindFirstFileExW,	0_2_00FAC2A2
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE68EE FindFirstFileW,FindClose,	0_2_00FE68EE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FE698F
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD076
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD3A9
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE9642
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE979D
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FE9B2B
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FE5C97
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0035212C memset,FindFirstFileW,FindClose,	4_2_0035212C

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop ebx

2_2_00407B1A

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49706 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49708 -> 104.247.82.92:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49709 -> 103.250.7.87:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49710 -> 91.195.240.19:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.250.7.87 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.92 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cincinnatisoup.com/se63/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /se63/?ehr=rYfWuT468Tc67hNM/0Jf+cRzLkrsF889ztcgHk2AEoSHsKvkCcFa8Ph0/RVXDGgWSBfyKpA9WA==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.00047.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=bzypT9aUofEMOiCJ/n1OwN3WvEpSepAHdr17450F/ZpFe3vEZBe16OntfEwHG1oOFvdOJvTtYg==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.used-cars-66201.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=1WXnfajc616lU+shA8HjLqX5RVgzjKJupeBRQRNuwFmzNdhzMuHtIrXkSWOpVCKlS9sifk+pBg==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.ozr3np.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=B/S030DRfbGC/Zs8m6u79oQd9S8Dl4En3dHvcSRMsHDWRaplPHiZfhINSWyXxORHgZbapwifUw==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.adptgn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 91.195.240.19 91.195.240.19
Source: Joe Sandbox View	IP Address: 3.33.130.190 3.33.130.190
Source: Joe Sandbox View	IP Address: 104.247.82.92 104.247.82.92

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: Joe Sandbox View	ASN Name: TEAMINTERNET-CA-ASCA TEAMINTERNET-CA-ASCA
Source: Joe Sandbox View	ASN Name: MYTEK-AS-APDefenseAustraliaNetworkAU MYTEK-AS-APDefenseAustraliaNetworkAU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00FECE44

Source: global traffic	HTTP traffic detected: GET /se63/?ehr=rYfWuT468Tc67hNM/0Jf+cRzLkrsF889ztcgHk2AEoSHsKvkCcFa8Ph0/RVXDGgWSBfyKpA9WA==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.00047.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=bzypT9aUofEMOiCJ/n1OwN3WvEpSepAHdr17450F/ZpFe3vEZBe16OntfEwHG1oOFvdOJvTtYg==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.used-cars-66201.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=1WXnfajc616lU+shA8HjLqX5RVgzjKJupeBRQRNuwFmzNdhzMuHtIrXkSWOpVCKlS9sifk+pBg==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.ozr3np.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=B/S030DRfbGC/Zs8m6u79oQd9S8Dl4En3dHvcSRMsHDWRaplPHiZfhINSWyXxORHgZbapwifUw==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.adptgn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.00047.vip
Source: global traffic	DNS traffic detected: DNS query: www.used-cars-66201.bond
Source: global traffic	DNS traffic detected: DNS query: www.ozr3np.com
Source: global traffic	DNS traffic detected: DNS query: www.adptgn.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 03 May 2024 07:15:12 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3349465033.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2085995888.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3349446303.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00047.vip
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00047.vip/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00047.vip/se63/www.xztyvk.xyz
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00047.vipReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.adptgn.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.adptgn.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.adptgn.com/se63/www.butimarproductions.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.adptgn.comReferer:
Source: explorer.exe, 00000003.00000003.2984032743.000000000C40E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075282396.000000000C40C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2982628164.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983123156.000000000C405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983092250.000000000C3E7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.butimarproductions.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.butimarproductions.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.butimarproductions.com/se63/www.mb28apparel.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.butimarproductions.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cincinnatisoup.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cincinnatisoup.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cincinnatisoup.com/se63/www.gothecleaningpros.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cincinnatisoup.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebridgereal.site
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebridgereal.site/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebridgereal.site/se63/www.nomades.digital
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebridgereal.siteReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.egysrvs.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.egysrvs.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.egysrvs.com/se63/www.ebridgereal.site
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.egysrvs.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.galeriaspognardi.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.galeriaspognardi.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.galeriaspognardi.com/se63/www.hemule.net
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.galeriaspognardi.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gothecleaningpros.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gothecleaningpros.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gothecleaningpros.com/se63/www.ky5682011.cc
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gothecleaningpros.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemule.net
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemule.net/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemule.net/se63/www.wg5688.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemule.netReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ky5682011.cc
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ky5682011.cc/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ky5682011.cc/se63/www.galeriaspognardi.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ky5682011.ccReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mb28apparel.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mb28apparel.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mb28apparel.com/se63/www.cincinnatisoup.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mb28apparel.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nomades.digital
Source: explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nomades.digital/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nomades.digitalReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozr3np.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozr3np.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozr3np.com/se63/www.adptgn.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozr3np.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.used-cars-66201.bond
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.used-cars-66201.bond/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.used-cars-66201.bond/se63/www.ozr3np.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.used-cars-66201.bondReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wg5688.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wg5688.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wg5688.com/se63/www.egysrvs.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wg5688.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz/se63/www.used-cars-66201.bond
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyzReferer:
Source: explorer.exe, 00000003.00000002.3350905176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2093568862.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2979873676.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000003.00000002.3355671940.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000003.00000002.3356077246.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983890388.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000003.00000002.3356077246.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983890388.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000003.00000000.2096130628.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3355671940.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.3350905176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2093568862.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2979873676.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000003.00000002.3356077246.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983890388.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FEEAFF

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FEED6A

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FEEAFF

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FDAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FDAA57

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_01009576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01009576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe PID: 6504, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5068, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: WWAHost.exe PID: 1352, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000002.2066146159.0000000001032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_79c27d72-9
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000002.2066146159.0000000001032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9c22f602-3
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ab8b9b71-1
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_826b8453-2

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A35C NtCreateFile,	2_2_0041A35C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A40A NtReadFile,	2_2_0041A40A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A48A NtClose,	2_2_0041A48A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B60 NtClose,LdrInitializeThunk,	2_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AD0 NtReadFile,LdrInitializeThunk,	2_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FE0 NtCreateFile,LdrInitializeThunk,	2_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FB0 NtResumeThread,LdrInitializeThunk,	2_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F30 NtCreateSection,LdrInitializeThunk,	2_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74340 NtSetContextThread,	2_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74650 NtSuspendThread,	2_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BE0 NtQueryValueKey,	2_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B80 NtQueryInformationFile,	2_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BA0 NtEnumerateValueKey,	2_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AF0 NtWriteFile,	2_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AB0 NtWaitForSingleObject,	2_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FA0 NtQuerySection,	2_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F60 NtCreateProcessEx,	2_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EE0 NtQueueApcThread,	2_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E30 NtWriteVirtualMemory,	2_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DB0 NtEnumerateKey,	2_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D00 NtSetInformationFile,	2_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CC0 NtQueryVirtualMemory,	2_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CF0 NtOpenProcess,	2_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C60 NtCreateKey,	2_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C70 NtFreeVirtualMemory,	2_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C00 NtQueryInformationProcess,	2_2_03C72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73090 NtSetValueKey,	2_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73010 NtOpenDirectoryObject,	2_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C735C0 NtCreateMutant,	2_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C739B0 NtGetContextThread,	2_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D70 NtOpenThread,	2_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D10 NtOpenProcessToken,	2_2_03C73D10
Source: C:\Windows\explorer.exe	Code function: 3_2_1019CE12 NtProtectVirtualMemory,	3_2_1019CE12
Source: C:\Windows\explorer.exe	Code function: 3_2_1019B232 NtCreateFile,	3_2_1019B232
Source: C:\Windows\explorer.exe	Code function: 3_2_1019CE0A NtProtectVirtualMemory,	3_2_1019CE0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0032E0F0 GetCurrentProcess,NtQueryInformationProcess,QuirkIsEnabled,#90,InitOnceExecuteOnce,#157,	4_2_0032E0F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00383774 GetCurrentProcess,NtSetInformationProcess,	4_2_00383774
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_003837AC NtQuerySystemInformation,	4_2_003837AC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00327E90 NtQueryInformationToken,HeapAlloc,memset,NtQueryInformationToken,RtlInitUnicodeString,RtlCompareUnicodeString,RtlNtStatusToDosErrorNoTeb,RtlNtStatusToDosErrorNoTeb,HeapFree,	4_2_00327E90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2B60 NtClose,LdrInitializeThunk,	4_2_035F2B60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_035F2BF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_035F2BE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2AD0 NtReadFile,LdrInitializeThunk,	4_2_035F2AD0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2F30 NtCreateSection,LdrInitializeThunk,	4_2_035F2F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2FE0 NtCreateFile,LdrInitializeThunk,	4_2_035F2FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_035F2EA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_035F2D10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_035F2DD0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_035F2DF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_035F2C70
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2C60 NtCreateKey,LdrInitializeThunk,	4_2_035F2C60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_035F2CA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F35C0 NtCreateMutant,LdrInitializeThunk,	4_2_035F35C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F4340 NtSetContextThread,	4_2_035F4340
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F4650 NtSuspendThread,	4_2_035F4650
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2B80 NtQueryInformationFile,	4_2_035F2B80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2BA0 NtEnumerateValueKey,	4_2_035F2BA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2AF0 NtWriteFile,	4_2_035F2AF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2AB0 NtWaitForSingleObject,	4_2_035F2AB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2F60 NtCreateProcessEx,	4_2_035F2F60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2F90 NtProtectVirtualMemory,	4_2_035F2F90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2FB0 NtResumeThread,	4_2_035F2FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2FA0 NtQuerySection,	4_2_035F2FA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2E30 NtWriteVirtualMemory,	4_2_035F2E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2EE0 NtQueueApcThread,	4_2_035F2EE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2E80 NtReadVirtualMemory,	4_2_035F2E80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2D00 NtSetInformationFile,	4_2_035F2D00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2D30 NtUnmapViewOfSection,	4_2_035F2D30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2DB0 NtEnumerateKey,	4_2_035F2DB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2C00 NtQueryInformationProcess,	4_2_035F2C00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2CC0 NtQueryVirtualMemory,	4_2_035F2CC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2CF0 NtOpenProcess,	4_2_035F2CF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F3010 NtOpenDirectoryObject,	4_2_035F3010
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F3090 NtSetValueKey,	4_2_035F3090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F39B0 NtGetContextThread,	4_2_035F39B0

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FDD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FDD5EB

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FD1201

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FDE8F6

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F78060	0_2_00F78060
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE2046	0_2_00FE2046
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FD8298	0_2_00FD8298
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FAE4FF	0_2_00FAE4FF
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FA676B	0_2_00FA676B
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_01004873	0_2_01004873
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F7CAF0	0_2_00F7CAF0
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F9CAA0	0_2_00F9CAA0
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F8CC39	0_2_00F8CC39
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FA6DD9	0_2_00FA6DD9
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F791C0	0_2_00F791C0
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F8B119	0_2_00F8B119
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F91394	0_2_00F91394
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F9781B	0_2_00F9781B
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F8997D	0_2_00F8997D
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F77920	0_2_00F77920
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F97A4A	0_2_00F97A4A
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F97CA7	0_2_00F97CA7
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FA9EEE	0_2_00FA9EEE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FFBE44	0_2_00FFBE44
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00EF3690	0_2_00EF3690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EB9F	2_2_0041EB9F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E511	2_2_0041E511
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DFC1	2_2_0041DFC1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D003E6	2_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC02C0	2_2_03CC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF81CC	2_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF41A2	2_2_03CF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D001AA	2_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30100	2_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64750	2_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C6E0	2_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D00591	2_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEE4F6	2_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF2446	2_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4420	2_2_03CE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF6BD7	2_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0A9A6	2_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E8F0	2_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C268B8	2_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4A840	2_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4CFE0	2_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBEFA0	2_2_03CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4F40	2_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C82F28	2_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60F30	2_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE2F30	2_2_03CE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEEDB	2_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52E90	2_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFCE93	2_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40E59	2_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEE26	2_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3ADE0	2_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C58DBF	2_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4AD00	2_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDCD1F	2_2_03CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30CF2	2_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0CB5	2_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40C00	2_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C8739A	2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D34C	2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF132D	2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4B1B0	2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7516C	2_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B16B	2_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF0CC	2_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF70E9	2_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF0E0	2_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF7B0	2_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDD5B0	2_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7571	2_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C31460	2_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF43F	2_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB5BF0	2_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7DBF9	2_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FB80	2_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFB76	2_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEDAC6	2_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDDAAC	2_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C85AA0	2_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE1AA3	2_2_03CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFA49	2_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7A46	2_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB3A6C	2_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49950	2_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B950	2_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD5910	2_2_03CD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C438E0	2_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD800	2_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41F92	2_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFFB1	2_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFF09	2_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49EB0	2_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FDC0	2_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43D40	2_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF1D5A	2_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7D73	2_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFCF2	2_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB9C32	2_2_03CB9C32
Source: C:\Windows\explorer.exe	Code function: 3_2_1019B232	3_2_1019B232
Source: C:\Windows\explorer.exe	Code function: 3_2_1019A036	3_2_1019A036
Source: C:\Windows\explorer.exe	Code function: 3_2_10191082	3_2_10191082
Source: C:\Windows\explorer.exe	Code function: 3_2_10198912	3_2_10198912
Source: C:\Windows\explorer.exe	Code function: 3_2_10192D02	3_2_10192D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10195B30	3_2_10195B30
Source: C:\Windows\explorer.exe	Code function: 3_2_10195B32	3_2_10195B32
Source: C:\Windows\explorer.exe	Code function: 3_2_1019E5CD	3_2_1019E5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_106D1036	3_2_106D1036
Source: C:\Windows\explorer.exe	Code function: 3_2_106C8082	3_2_106C8082
Source: C:\Windows\explorer.exe	Code function: 3_2_106C9D02	3_2_106C9D02
Source: C:\Windows\explorer.exe	Code function: 3_2_106CF912	3_2_106CF912
Source: C:\Windows\explorer.exe	Code function: 3_2_106D55CD	3_2_106D55CD
Source: C:\Windows\explorer.exe	Code function: 3_2_106D2232	3_2_106D2232
Source: C:\Windows\explorer.exe	Code function: 3_2_106CCB30	3_2_106CCB30
Source: C:\Windows\explorer.exe	Code function: 3_2_106CCB32	3_2_106CCB32
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00340090	4_2_00340090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00306BA3	4_2_00306BA3
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00306BA8	4_2_00306BA8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00344CE0	4_2_00344CE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00350EF0	4_2_00350EF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00307036	4_2_00307036
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00351337	4_2_00351337
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367A352	4_2_0367A352
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036803E6	4_2_036803E6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CE3F0	4_2_035CE3F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03660274	4_2_03660274
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036402C0	4_2_036402C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03648158	4_2_03648158
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B0100	4_2_035B0100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0365A118	4_2_0365A118
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036781CC	4_2_036781CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036801AA	4_2_036801AA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036741A2	4_2_036741A2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03652000	4_2_03652000
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035E4750	4_2_035E4750
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C0770	4_2_035C0770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035BC7C0	4_2_035BC7C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035DC6E0	4_2_035DC6E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C0535	4_2_035C0535
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03680591	4_2_03680591
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03672446	4_2_03672446
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03664420	4_2_03664420
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0366E4F6	4_2_0366E4F6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367AB40	4_2_0367AB40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03676BD7	4_2_03676BD7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035BEA80	4_2_035BEA80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035D6962	4_2_035D6962
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0368A9A6	4_2_0368A9A6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C29A0	4_2_035C29A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CA840	4_2_035CA840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C2840	4_2_035C2840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035EE8F0	4_2_035EE8F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035A68B8	4_2_035A68B8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03634F40	4_2_03634F40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03602F28	4_2_03602F28
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03662F30	4_2_03662F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035E0F30	4_2_035E0F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B2FC8	4_2_035B2FC8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CCFE0	4_2_035CCFE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0363EFA0	4_2_0363EFA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C0E59	4_2_035C0E59
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367EE26	4_2_0367EE26
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367EEDB	4_2_0367EEDB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035D2E90	4_2_035D2E90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367CE93	4_2_0367CE93
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CAD00	4_2_035CAD00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0365CD1F	4_2_0365CD1F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035BADE0	4_2_035BADE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035D8DBF	4_2_035D8DBF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C0C00	4_2_035C0C00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B0CF2	4_2_035B0CF2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03660CB5	4_2_03660CB5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035AD34C	4_2_035AD34C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367132D	4_2_0367132D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0360739A	4_2_0360739A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036612ED	4_2_036612ED
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035DB2C0	4_2_035DB2C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C52A0	4_2_035C52A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0368B16B	4_2_0368B16B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035AF172	4_2_035AF172
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F516C	4_2_035F516C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CB1B0	4_2_035CB1B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367F0E0	4_2_0367F0E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036770E9	4_2_036770E9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C70C0	4_2_035C70C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0366F0CC	4_2_0366F0CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367F7B0	4_2_0367F7B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03605630	4_2_03605630
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036716CC	4_2_036716CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03677571	4_2_03677571
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036895C3	4_2_036895C3
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0365D5B0	4_2_0365D5B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B1460	4_2_035B1460
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367F43F	4_2_0367F43F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367FB76	4_2_0367FB76
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03635BF0	4_2_03635BF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035FDBF9	4_2_035FDBF9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035DFB80	4_2_035DFB80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03633A6C	4_2_03633A6C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03677A46	4_2_03677A46
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367FA49	4_2_0367FA49
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0366DAC6	4_2_0366DAC6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03605AA0	4_2_03605AA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03661AA3	4_2_03661AA3
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0365DAAC	4_2_0365DAAC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C9950	4_2_035C9950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035DB950	4_2_035DB950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03655910	4_2_03655910

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0362EA12 appears 73 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0035318B appears 128 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 00372F80 appears 923 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 03607E54 appears 94 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0034E951 appears 387 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 035AB970 appears 229 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 035F5130 appears 54 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 00374C81 appears 35 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 00374FF1 appears 138 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0363F290 appears 97 times
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: String function: 00F8F9F2 appears 40 times
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: String function: 00F79CB3 appears 31 times
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: String function: 00F90A30 appears 46 times

Sample file is different than original file name gathered from version info

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062355239.0000000003613000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2063229444.00000000037BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Uses 32bit PE files

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe PID: 6504, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5068, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: WWAHost.exe PID: 1352, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/4@4/4

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FE37B5 GetLastError,FormatMessageW,

0_2_00FE37B5

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FD10BF AdjustTokenPrivileges,CloseHandle,		0_2_00FD10BF
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FD16C3

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FE51CD

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FFA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FFA67C

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FE648E

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F742A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

File created: C:\Users\user\AppData\Local\Temp\aut4EA4.tmp

Jump to behavior

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	ReversingLabs: Detection: 39%
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe "C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe"
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static file information: File size 1190912 > 1048576

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WWAHost.pdb source: svchost.exe, 00000002.00000003.2132631234.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2132489099.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2135117487.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000004.00000002.3345986724.0000000000300000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: WWAHost.pdbUGP source: svchost.exe, 00000002.00000003.2132631234.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2132489099.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2135117487.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3345986724.0000000000300000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062048793.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2061915416.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2064082070.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081720047.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.000000000371E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2134008026.0000000002FE8000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.0000000003580000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2138554462.00000000033D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062048793.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2061915416.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2064082070.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081720047.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000004.00000002.3347022446.000000000371E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2134008026.0000000002FE8000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.0000000003580000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2138554462.00000000033D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3361543576.000000001097F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347535891.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3346535807.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3361543576.000000001097F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347535891.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3346535807.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F90A76 push ecx; ret	0_2_00F90A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416820 pushfd ; iretd	2_2_00416821
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417BBB pushad ; retf	2_2_00417BBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AFA3 push 0000001Dh; retf	2_2_0040AFA6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx	2_2_03C309B6
Source: C:\Windows\explorer.exe	Code function: 3_2_1019EB1E push esp; retn 0000h	3_2_1019EB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_1019EB02 push esp; retn 0000h	3_2_1019EB03
Source: C:\Windows\explorer.exe	Code function: 3_2_1019E9B5 push esp; retn 0000h	3_2_1019EAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_106D59B5 push esp; retn 0000h	3_2_106D5AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_106D5B02 push esp; retn 0000h	3_2_106D5B03
Source: C:\Windows\explorer.exe	Code function: 3_2_106D5B1E push esp; retn 0000h	3_2_106D5B1F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00306F7C push eax; retf	4_2_00306F85
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00307036 push eax; retf	4_2_00307EF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00307026 pushad ; iretd	4_2_00307029
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00353168 push ecx; ret	4_2_0035317B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00309431 push ds; iretd	4_2_00309432
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00309537 push esi; retf	4_2_0030954C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0030959A push CFE2086Ah; ret	4_2_003095AB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_003096FD push ds; iretd	4_2_003096FE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00307CEA push eax; retf	4_2_00307EF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0358225F pushad ; ret	4_2_035827F9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035827FA pushad ; ret	4_2_035827F9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B09AD push ecx; mov dword ptr [esp], ecx	4_2_035B09B6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0358283D push eax; iretd	4_2_03582858
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0358135E push eax; iretd	4_2_03581369

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	File created: \purchase order for consumables eltra 008363725_9645364782_1197653623_836652746_22994644.exe
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	File created: \purchase order for consumables eltra 008363725_9645364782_1197653623_836652746_22994644.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE4

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F8F98E
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_01001C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01001C41

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 2A59904 second address: 2A5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 2A59B7E second address: 2A59B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2998	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6950	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Window / User API: threadDelayed 6539	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Window / User API: threadDelayed 3428	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\WWAHost.exe	API coverage: 0.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5788	Thread sleep count: 2998 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5788	Thread sleep time: -5996000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5788	Thread sleep count: 6950 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5788	Thread sleep time: -13900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7112	Thread sleep count: 6539 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7112	Thread sleep time: -13078000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7112	Thread sleep count: 3428 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7112	Thread sleep time: -6856000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0034B120 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esi+000000a4h], 03h and CTI: je 00371D18h		4_2_0034B120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00329760 GetSystemTimeAsFileTime followed by cmp: cmp al, 01h and CTI: jne 00329886h		4_2_00329760

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FDDBBE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FAC2A2 FindFirstFileExW,	0_2_00FAC2A2
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE68EE FindFirstFileW,FindClose,	0_2_00FE68EE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FE698F
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD076
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD3A9
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE9642
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE979D
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FE9B2B
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FE5C97
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0035212C memset,FindFirstFileW,FindClose,	4_2_0035212C

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: explorer.exe, 00000003.00000003.2983092250.000000000C3E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&00000
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000003.00000003.2979873676.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000003.00000002.3359920361.000000000C420000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0J
Source: explorer.exe, 00000003.00000003.2979873676.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000003.00000002.3350454896.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000003.00000003.2983092250.000000000C3E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef
Source: explorer.exe, 00000003.00000002.3346181735.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.3346181735.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000003.00000003.2983092250.000000000C3E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000003.2979873676.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000003.00000002.3346181735.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000003.2979873676.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000003.00000002.3346181735.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FEEAA2 BlockInput,

0_2_00FEEAA2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FA2622

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F94CE8 mov eax, dword ptr fs:[00000030h]	0_2_00F94CE8
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00EF3580 mov eax, dword ptr fs:[00000030h]	0_2_00EF3580
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00EF3520 mov eax, dword ptr fs:[00000030h]	0_2_00EF3520
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00EF1ED0 mov eax, dword ptr fs:[00000030h]	0_2_00EF1ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]	2_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03CD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]	2_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]	2_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]	2_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]	2_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]	2_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]	2_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]	2_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]	2_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]	2_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]	2_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]	2_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]	2_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]	2_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]	2_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]	2_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]	2_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]	2_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]	2_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]	2_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]	2_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]	2_2_03CC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]	2_2_03CD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]	2_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03CE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]	2_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]	2_2_03CBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]	2_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]	2_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]	2_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]	2_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]	2_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]	2_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]	2_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]	2_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]	2_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]	2_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]	2_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]	2_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]	2_2_03C66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]	2_2_03C68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]	2_2_03C3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]	2_2_03C365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]	2_2_03C325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]	2_2_03C64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]	2_2_03C6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]	2_2_03CC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03C304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]	2_2_03CEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]	2_2_03C364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03C644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]	2_2_03CEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]	2_2_03C2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]	2_2_03C5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]	2_2_03CBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]	2_2_03C2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]	2_2_03C6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03CD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]	2_2_03CDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03C2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]	2_2_03D04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]	2_2_03C68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03C86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]	2_2_03CDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]	2_2_03CBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03CC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]	2_2_03C649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]	2_2_03CB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]	2_2_03CBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]	2_2_03CBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]	2_2_03CB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]	2_2_03CC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]	2_2_03C30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]	2_2_03CBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]	2_2_03C60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]	2_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]	2_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6870 mov eax, dword ptr fs:[00000030h]	2_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6870 mov eax, dword ptr fs:[00000030h]	2_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC810 mov eax, dword ptr fs:[00000030h]	2_2_03CBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov ecx, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A830 mov eax, dword ptr fs:[00000030h]	2_2_03C6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD483A mov eax, dword ptr fs:[00000030h]	2_2_03CD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD483A mov eax, dword ptr fs:[00000030h]	2_2_03CD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03C2EFD8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00FD0B62

Enables debug privileges

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FA2622
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F9083F
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F909D5 SetUnhandledExceptionFilter,	0_2_00F909D5
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F90C21
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0034D470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0034D470

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.250.7.87 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.92 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4004			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 4004			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 300000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 30FA008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FD1201

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FB2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FB2BA5

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FDB226 SendInput,keybd_event,

0_2_00FDB226

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FF22DA

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FD0B62

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FD1663

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000002.3346658743.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2085922571.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, explorer.exe, 00000003.00000000.2087273308.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3346658743.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.3346658743.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2085922571.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.2085668915.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3346181735.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000003.00000002.3346658743.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2085922571.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.2093568862.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350905176.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2979873676.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F90698 cpuid

0_2_00F90698

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FE8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FE8195

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FCD27A GetUserNameW,

0_2_00FCD27A

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FAB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00FAB952

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_81
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_XP
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_XPe
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_VISTA
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_7
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FF1204
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FF1806

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
3.33.130.190	00047.vip	United States	8987	AMAZONEXPANSIONGB	true
104.247.82.92	www.used-cars-66201.bond	Canada	206834	TEAMINTERNET-CA-ASCA	true
103.250.7.87	nufyo4ac.cdnaaa.net	Hong Kong	132825	MYTEK-AS-APDefenseAustraliaNetworkAU	true

Contacted Domains

Name	IP	Active
00047.vip	3.33.130.190	true
nufyo4ac.cdnaaa.net	103.250.7.87	true
parkingpage.namecheap.com	91.195.240.19	true
www.used-cars-66201.bond	104.247.82.92	true
www.adptgn.com	unknown	unknown
www.ozr3np.com	unknown	unknown
www.00047.vip	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.00047.vip/se63/?ehr=rYfWuT468Tc67hNM/0Jf+cRzLkrsF889ztcgHk2AEoSHsKvkCcFa8Ph0/RVXDGgWSBfyKpA9WA==&pRxXAB=mnRtohcx_FWp	true	Avira URL Cloud: safe	unknown
www.cincinnatisoup.com/se63/	true	Avira URL Cloud: safe	low
http://www.ozr3np.com/se63/?ehr=1WXnfajc616lU+shA8HjLqX5RVgzjKJupeBRQRNuwFmzNdhzMuHtIrXkSWOpVCKlS9sifk+pBg==&pRxXAB=mnRtohcx_FWp	true	Avira URL Cloud: safe	unknown
http://www.used-cars-66201.bond/se63/?ehr=bzypT9aUofEMOiCJ/n1OwN3WvEpSepAHdr17450F/ZpFe3vEZBe16OntfEwHG1oOFvdOJvTtYg==&pRxXAB=mnRtohcx_FWp	true	Avira URL Cloud: safe	unknown
http://www.adptgn.com/se63/?ehr=B/S030DRfbGC/Zs8m6u79oQd9S8Dl4En3dHvcSRMsHDWRaplPHiZfhINSWyXxORHgZbapwifUw==&pRxXAB=mnRtohcx_FWp	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	ReversingLabs: Detection: 39%
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Virustotal: Detection: 33%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: WWAHost.pdb source: svchost.exe, 00000002.00000003.2132631234.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2132489099.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2135117487.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000004.00000002.3345986724.0000000000300000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: WWAHost.pdbUGP source: svchost.exe, 00000002.00000003.2132631234.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2132489099.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2135117487.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3345986724.0000000000300000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062048793.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2061915416.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2064082070.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081720047.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.000000000371E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2134008026.0000000002FE8000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.0000000003580000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2138554462.00000000033D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062048793.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2061915416.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2064082070.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081720047.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000004.00000002.3347022446.000000000371E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2134008026.0000000002FE8000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.0000000003580000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2138554462.00000000033D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3361543576.000000001097F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347535891.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3346535807.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3361543576.000000001097F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347535891.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3346535807.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FDDBBE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FAC2A2 FindFirstFileExW,	0_2_00FAC2A2
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE68EE FindFirstFileW,FindClose,	0_2_00FE68EE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FE698F
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD076
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD3A9
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE9642
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE979D
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FE9B2B
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FE5C97
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0035212C memset,FindFirstFileW,FindClose,	4_2_0035212C

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop ebx

2_2_00407B1A

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49706 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49708 -> 104.247.82.92:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49709 -> 103.250.7.87:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49710 -> 91.195.240.19:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.250.7.87 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.92 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cincinnatisoup.com/se63/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /se63/?ehr=rYfWuT468Tc67hNM/0Jf+cRzLkrsF889ztcgHk2AEoSHsKvkCcFa8Ph0/RVXDGgWSBfyKpA9WA==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.00047.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=bzypT9aUofEMOiCJ/n1OwN3WvEpSepAHdr17450F/ZpFe3vEZBe16OntfEwHG1oOFvdOJvTtYg==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.used-cars-66201.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=1WXnfajc616lU+shA8HjLqX5RVgzjKJupeBRQRNuwFmzNdhzMuHtIrXkSWOpVCKlS9sifk+pBg==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.ozr3np.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=B/S030DRfbGC/Zs8m6u79oQd9S8Dl4En3dHvcSRMsHDWRaplPHiZfhINSWyXxORHgZbapwifUw==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.adptgn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 91.195.240.19 91.195.240.19
Source: Joe Sandbox View	IP Address: 3.33.130.190 3.33.130.190
Source: Joe Sandbox View	IP Address: 104.247.82.92 104.247.82.92

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: Joe Sandbox View	ASN Name: TEAMINTERNET-CA-ASCA TEAMINTERNET-CA-ASCA
Source: Joe Sandbox View	ASN Name: MYTEK-AS-APDefenseAustraliaNetworkAU MYTEK-AS-APDefenseAustraliaNetworkAU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00FECE44

Source: global traffic	HTTP traffic detected: GET /se63/?ehr=rYfWuT468Tc67hNM/0Jf+cRzLkrsF889ztcgHk2AEoSHsKvkCcFa8Ph0/RVXDGgWSBfyKpA9WA==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.00047.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=bzypT9aUofEMOiCJ/n1OwN3WvEpSepAHdr17450F/ZpFe3vEZBe16OntfEwHG1oOFvdOJvTtYg==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.used-cars-66201.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=1WXnfajc616lU+shA8HjLqX5RVgzjKJupeBRQRNuwFmzNdhzMuHtIrXkSWOpVCKlS9sifk+pBg==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.ozr3np.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /se63/?ehr=B/S030DRfbGC/Zs8m6u79oQd9S8Dl4En3dHvcSRMsHDWRaplPHiZfhINSWyXxORHgZbapwifUw==&pRxXAB=mnRtohcx_FWp HTTP/1.1Host: www.adptgn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.00047.vip
Source: global traffic	DNS traffic detected: DNS query: www.used-cars-66201.bond
Source: global traffic	DNS traffic detected: DNS query: www.ozr3np.com
Source: global traffic	DNS traffic detected: DNS query: www.adptgn.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 03 May 2024 07:15:12 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3349465033.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2085995888.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3349446303.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00047.vip
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00047.vip/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00047.vip/se63/www.xztyvk.xyz
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00047.vipReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.adptgn.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.adptgn.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.adptgn.com/se63/www.butimarproductions.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.adptgn.comReferer:
Source: explorer.exe, 00000003.00000003.2984032743.000000000C40E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075282396.000000000C40C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2982628164.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983123156.000000000C405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983092250.000000000C3E7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.butimarproductions.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.butimarproductions.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.butimarproductions.com/se63/www.mb28apparel.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.butimarproductions.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cincinnatisoup.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cincinnatisoup.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cincinnatisoup.com/se63/www.gothecleaningpros.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cincinnatisoup.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebridgereal.site
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebridgereal.site/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebridgereal.site/se63/www.nomades.digital
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebridgereal.siteReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.egysrvs.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.egysrvs.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.egysrvs.com/se63/www.ebridgereal.site
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.egysrvs.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.galeriaspognardi.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.galeriaspognardi.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.galeriaspognardi.com/se63/www.hemule.net
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.galeriaspognardi.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gothecleaningpros.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gothecleaningpros.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gothecleaningpros.com/se63/www.ky5682011.cc
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gothecleaningpros.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemule.net
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemule.net/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemule.net/se63/www.wg5688.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemule.netReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ky5682011.cc
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ky5682011.cc/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ky5682011.cc/se63/www.galeriaspognardi.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ky5682011.ccReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mb28apparel.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mb28apparel.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mb28apparel.com/se63/www.cincinnatisoup.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mb28apparel.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nomades.digital
Source: explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nomades.digital/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nomades.digitalReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozr3np.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozr3np.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozr3np.com/se63/www.adptgn.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozr3np.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.used-cars-66201.bond
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.used-cars-66201.bond/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.used-cars-66201.bond/se63/www.ozr3np.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.used-cars-66201.bondReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wg5688.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wg5688.com/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wg5688.com/se63/www.egysrvs.com
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wg5688.comReferer:
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz/se63/
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz/se63/www.used-cars-66201.bond
Source: explorer.exe, 00000003.00000002.3360342523.000000000C4E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983239925.000000000C4E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyzReferer:
Source: explorer.exe, 00000003.00000002.3350905176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2093568862.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2979873676.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000003.00000002.3355671940.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000003.00000002.3356077246.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983890388.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000003.00000002.3356077246.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983890388.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000003.00000000.2096130628.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3355671940.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.3350905176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2093568862.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2979873676.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000003.00000002.3356077246.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983890388.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2096130628.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000003.00000000.2087504626.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FEEAFF

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FEED6A

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FEEAFF

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FDAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FDAA57

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_01009576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe PID: 6504, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5068, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: WWAHost.exe PID: 1352, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000002.2066146159.0000000001032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_79c27d72-9
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000002.2066146159.0000000001032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9c22f602-3
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ab8b9b71-1
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_826b8453-2

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A35C NtCreateFile,	2_2_0041A35C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A40A NtReadFile,	2_2_0041A40A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A48A NtClose,	2_2_0041A48A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B60 NtClose,LdrInitializeThunk,	2_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AD0 NtReadFile,LdrInitializeThunk,	2_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FE0 NtCreateFile,LdrInitializeThunk,	2_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FB0 NtResumeThread,LdrInitializeThunk,	2_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F30 NtCreateSection,LdrInitializeThunk,	2_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74340 NtSetContextThread,	2_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74650 NtSuspendThread,	2_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BE0 NtQueryValueKey,	2_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B80 NtQueryInformationFile,	2_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BA0 NtEnumerateValueKey,	2_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AF0 NtWriteFile,	2_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AB0 NtWaitForSingleObject,	2_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FA0 NtQuerySection,	2_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F60 NtCreateProcessEx,	2_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EE0 NtQueueApcThread,	2_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E30 NtWriteVirtualMemory,	2_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DB0 NtEnumerateKey,	2_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D00 NtSetInformationFile,	2_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CC0 NtQueryVirtualMemory,	2_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CF0 NtOpenProcess,	2_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C60 NtCreateKey,	2_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C70 NtFreeVirtualMemory,	2_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C00 NtQueryInformationProcess,	2_2_03C72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73090 NtSetValueKey,	2_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73010 NtOpenDirectoryObject,	2_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C735C0 NtCreateMutant,	2_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C739B0 NtGetContextThread,	2_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D70 NtOpenThread,	2_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D10 NtOpenProcessToken,	2_2_03C73D10
Source: C:\Windows\explorer.exe	Code function: 3_2_1019CE12 NtProtectVirtualMemory,	3_2_1019CE12
Source: C:\Windows\explorer.exe	Code function: 3_2_1019B232 NtCreateFile,	3_2_1019B232
Source: C:\Windows\explorer.exe	Code function: 3_2_1019CE0A NtProtectVirtualMemory,	3_2_1019CE0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0032E0F0 GetCurrentProcess,NtQueryInformationProcess,QuirkIsEnabled,#90,InitOnceExecuteOnce,#157,	4_2_0032E0F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00383774 GetCurrentProcess,NtSetInformationProcess,	4_2_00383774
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_003837AC NtQuerySystemInformation,	4_2_003837AC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00327E90 NtQueryInformationToken,HeapAlloc,memset,NtQueryInformationToken,RtlInitUnicodeString,RtlCompareUnicodeString,RtlNtStatusToDosErrorNoTeb,RtlNtStatusToDosErrorNoTeb,HeapFree,	4_2_00327E90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2B60 NtClose,LdrInitializeThunk,	4_2_035F2B60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_035F2BF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_035F2BE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2AD0 NtReadFile,LdrInitializeThunk,	4_2_035F2AD0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2F30 NtCreateSection,LdrInitializeThunk,	4_2_035F2F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2FE0 NtCreateFile,LdrInitializeThunk,	4_2_035F2FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_035F2EA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_035F2D10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_035F2DD0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_035F2DF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_035F2C70
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2C60 NtCreateKey,LdrInitializeThunk,	4_2_035F2C60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_035F2CA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F35C0 NtCreateMutant,LdrInitializeThunk,	4_2_035F35C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F4340 NtSetContextThread,	4_2_035F4340
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F4650 NtSuspendThread,	4_2_035F4650
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2B80 NtQueryInformationFile,	4_2_035F2B80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2BA0 NtEnumerateValueKey,	4_2_035F2BA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2AF0 NtWriteFile,	4_2_035F2AF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2AB0 NtWaitForSingleObject,	4_2_035F2AB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2F60 NtCreateProcessEx,	4_2_035F2F60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2F90 NtProtectVirtualMemory,	4_2_035F2F90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2FB0 NtResumeThread,	4_2_035F2FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2FA0 NtQuerySection,	4_2_035F2FA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2E30 NtWriteVirtualMemory,	4_2_035F2E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2EE0 NtQueueApcThread,	4_2_035F2EE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2E80 NtReadVirtualMemory,	4_2_035F2E80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2D00 NtSetInformationFile,	4_2_035F2D00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2D30 NtUnmapViewOfSection,	4_2_035F2D30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2DB0 NtEnumerateKey,	4_2_035F2DB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2C00 NtQueryInformationProcess,	4_2_035F2C00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2CC0 NtQueryVirtualMemory,	4_2_035F2CC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F2CF0 NtOpenProcess,	4_2_035F2CF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F3010 NtOpenDirectoryObject,	4_2_035F3010
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F3090 NtSetValueKey,	4_2_035F3090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F39B0 NtGetContextThread,	4_2_035F39B0

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FDD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FDD5EB

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FD1201

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FDE8F6

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F78060	0_2_00F78060
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE2046	0_2_00FE2046
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FD8298	0_2_00FD8298
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FAE4FF	0_2_00FAE4FF
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FA676B	0_2_00FA676B
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_01004873	0_2_01004873
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F7CAF0	0_2_00F7CAF0
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F9CAA0	0_2_00F9CAA0
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F8CC39	0_2_00F8CC39
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FA6DD9	0_2_00FA6DD9
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F791C0	0_2_00F791C0
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F8B119	0_2_00F8B119
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F91394	0_2_00F91394
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F9781B	0_2_00F9781B
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F8997D	0_2_00F8997D
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F77920	0_2_00F77920
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F97A4A	0_2_00F97A4A
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F97CA7	0_2_00F97CA7
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FA9EEE	0_2_00FA9EEE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FFBE44	0_2_00FFBE44
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00EF3690	0_2_00EF3690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EB9F	2_2_0041EB9F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E511	2_2_0041E511
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DFC1	2_2_0041DFC1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D003E6	2_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC02C0	2_2_03CC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF81CC	2_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF41A2	2_2_03CF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D001AA	2_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30100	2_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64750	2_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C6E0	2_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D00591	2_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEE4F6	2_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF2446	2_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4420	2_2_03CE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF6BD7	2_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0A9A6	2_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E8F0	2_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C268B8	2_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4A840	2_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4CFE0	2_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBEFA0	2_2_03CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4F40	2_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C82F28	2_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60F30	2_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE2F30	2_2_03CE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEEDB	2_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52E90	2_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFCE93	2_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40E59	2_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEE26	2_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3ADE0	2_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C58DBF	2_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4AD00	2_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDCD1F	2_2_03CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30CF2	2_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0CB5	2_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40C00	2_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C8739A	2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D34C	2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF132D	2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4B1B0	2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7516C	2_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B16B	2_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF0CC	2_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF70E9	2_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF0E0	2_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF7B0	2_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDD5B0	2_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7571	2_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C31460	2_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF43F	2_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB5BF0	2_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7DBF9	2_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FB80	2_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFB76	2_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEDAC6	2_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDDAAC	2_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C85AA0	2_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE1AA3	2_2_03CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFA49	2_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7A46	2_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB3A6C	2_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49950	2_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B950	2_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD5910	2_2_03CD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C438E0	2_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD800	2_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41F92	2_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFFB1	2_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFF09	2_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49EB0	2_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FDC0	2_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43D40	2_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF1D5A	2_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7D73	2_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFCF2	2_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB9C32	2_2_03CB9C32
Source: C:\Windows\explorer.exe	Code function: 3_2_1019B232	3_2_1019B232
Source: C:\Windows\explorer.exe	Code function: 3_2_1019A036	3_2_1019A036
Source: C:\Windows\explorer.exe	Code function: 3_2_10191082	3_2_10191082
Source: C:\Windows\explorer.exe	Code function: 3_2_10198912	3_2_10198912
Source: C:\Windows\explorer.exe	Code function: 3_2_10192D02	3_2_10192D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10195B30	3_2_10195B30
Source: C:\Windows\explorer.exe	Code function: 3_2_10195B32	3_2_10195B32
Source: C:\Windows\explorer.exe	Code function: 3_2_1019E5CD	3_2_1019E5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_106D1036	3_2_106D1036
Source: C:\Windows\explorer.exe	Code function: 3_2_106C8082	3_2_106C8082
Source: C:\Windows\explorer.exe	Code function: 3_2_106C9D02	3_2_106C9D02
Source: C:\Windows\explorer.exe	Code function: 3_2_106CF912	3_2_106CF912
Source: C:\Windows\explorer.exe	Code function: 3_2_106D55CD	3_2_106D55CD
Source: C:\Windows\explorer.exe	Code function: 3_2_106D2232	3_2_106D2232
Source: C:\Windows\explorer.exe	Code function: 3_2_106CCB30	3_2_106CCB30
Source: C:\Windows\explorer.exe	Code function: 3_2_106CCB32	3_2_106CCB32
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00340090	4_2_00340090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00306BA3	4_2_00306BA3
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00306BA8	4_2_00306BA8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00344CE0	4_2_00344CE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00350EF0	4_2_00350EF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00307036	4_2_00307036
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00351337	4_2_00351337
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367A352	4_2_0367A352
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036803E6	4_2_036803E6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CE3F0	4_2_035CE3F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03660274	4_2_03660274
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036402C0	4_2_036402C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03648158	4_2_03648158
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B0100	4_2_035B0100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0365A118	4_2_0365A118
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036781CC	4_2_036781CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036801AA	4_2_036801AA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036741A2	4_2_036741A2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03652000	4_2_03652000
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035E4750	4_2_035E4750
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C0770	4_2_035C0770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035BC7C0	4_2_035BC7C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035DC6E0	4_2_035DC6E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C0535	4_2_035C0535
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03680591	4_2_03680591
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03672446	4_2_03672446
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03664420	4_2_03664420
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0366E4F6	4_2_0366E4F6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367AB40	4_2_0367AB40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03676BD7	4_2_03676BD7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035BEA80	4_2_035BEA80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035D6962	4_2_035D6962
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0368A9A6	4_2_0368A9A6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C29A0	4_2_035C29A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CA840	4_2_035CA840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C2840	4_2_035C2840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035EE8F0	4_2_035EE8F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035A68B8	4_2_035A68B8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03634F40	4_2_03634F40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03602F28	4_2_03602F28
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03662F30	4_2_03662F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035E0F30	4_2_035E0F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B2FC8	4_2_035B2FC8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CCFE0	4_2_035CCFE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0363EFA0	4_2_0363EFA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C0E59	4_2_035C0E59
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367EE26	4_2_0367EE26
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367EEDB	4_2_0367EEDB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035D2E90	4_2_035D2E90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367CE93	4_2_0367CE93
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CAD00	4_2_035CAD00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0365CD1F	4_2_0365CD1F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035BADE0	4_2_035BADE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035D8DBF	4_2_035D8DBF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C0C00	4_2_035C0C00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B0CF2	4_2_035B0CF2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03660CB5	4_2_03660CB5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035AD34C	4_2_035AD34C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367132D	4_2_0367132D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0360739A	4_2_0360739A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036612ED	4_2_036612ED
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035DB2C0	4_2_035DB2C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C52A0	4_2_035C52A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0368B16B	4_2_0368B16B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035AF172	4_2_035AF172
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035F516C	4_2_035F516C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035CB1B0	4_2_035CB1B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367F0E0	4_2_0367F0E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036770E9	4_2_036770E9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C70C0	4_2_035C70C0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0366F0CC	4_2_0366F0CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367F7B0	4_2_0367F7B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03605630	4_2_03605630
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036716CC	4_2_036716CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03677571	4_2_03677571
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_036895C3	4_2_036895C3
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0365D5B0	4_2_0365D5B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B1460	4_2_035B1460
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367F43F	4_2_0367F43F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367FB76	4_2_0367FB76
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03635BF0	4_2_03635BF0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035FDBF9	4_2_035FDBF9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035DFB80	4_2_035DFB80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03633A6C	4_2_03633A6C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03677A46	4_2_03677A46
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0367FA49	4_2_0367FA49
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0366DAC6	4_2_0366DAC6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03605AA0	4_2_03605AA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03661AA3	4_2_03661AA3
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0365DAAC	4_2_0365DAAC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035C9950	4_2_035C9950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035DB950	4_2_035DB950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_03655910	4_2_03655910

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0362EA12 appears 73 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0035318B appears 128 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 00372F80 appears 923 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 03607E54 appears 94 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0034E951 appears 387 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 035AB970 appears 229 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 035F5130 appears 54 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 00374C81 appears 35 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 00374FF1 appears 138 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0363F290 appears 97 times
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: String function: 00F8F9F2 appears 40 times
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: String function: 00F79CB3 appears 31 times
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: String function: 00F90A30 appears 46 times

Sample file is different than original file name gathered from version info

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062355239.0000000003613000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2063229444.00000000037BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Uses 32bit PE files

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe PID: 6504, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5068, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: WWAHost.exe PID: 1352, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/4@4/4

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FE37B5 GetLastError,FormatMessageW,

0_2_00FE37B5

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FD10BF AdjustTokenPrivileges,CloseHandle,		0_2_00FD10BF
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FD16C3

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FE51CD

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FFA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FFA67C

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FE648E

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F742A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

File created: C:\Users\user\AppData\Local\Temp\aut4EA4.tmp

Jump to behavior

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	ReversingLabs: Detection: 39%
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe "C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe"
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static file information: File size 1190912 > 1048576

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WWAHost.pdb source: svchost.exe, 00000002.00000003.2132631234.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2132489099.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2135117487.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000004.00000002.3345986724.0000000000300000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: WWAHost.pdbUGP source: svchost.exe, 00000002.00000003.2132631234.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2132489099.0000000003B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2135117487.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3345986724.0000000000300000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062048793.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2061915416.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2064082070.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081720047.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.000000000371E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2134008026.0000000002FE8000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.0000000003580000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2138554462.00000000033D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2062048793.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, 00000000.00000003.2061915416.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2064082070.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2134570335.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081720047.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000004.00000002.3347022446.000000000371E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2134008026.0000000002FE8000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347022446.0000000003580000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2138554462.00000000033D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3361543576.000000001097F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347535891.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3346535807.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3361543576.000000001097F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3347535891.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.3346535807.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F90A76 push ecx; ret	0_2_00F90A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416820 pushfd ; iretd	2_2_00416821
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417BBB pushad ; retf	2_2_00417BBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AFA3 push 0000001Dh; retf	2_2_0040AFA6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx	2_2_03C309B6
Source: C:\Windows\explorer.exe	Code function: 3_2_1019EB1E push esp; retn 0000h	3_2_1019EB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_1019EB02 push esp; retn 0000h	3_2_1019EB03
Source: C:\Windows\explorer.exe	Code function: 3_2_1019E9B5 push esp; retn 0000h	3_2_1019EAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_106D59B5 push esp; retn 0000h	3_2_106D5AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_106D5B02 push esp; retn 0000h	3_2_106D5B03
Source: C:\Windows\explorer.exe	Code function: 3_2_106D5B1E push esp; retn 0000h	3_2_106D5B1F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00306F7C push eax; retf	4_2_00306F85
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00307036 push eax; retf	4_2_00307EF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00307026 pushad ; iretd	4_2_00307029
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00353168 push ecx; ret	4_2_0035317B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00309431 push ds; iretd	4_2_00309432
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00309537 push esi; retf	4_2_0030954C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0030959A push CFE2086Ah; ret	4_2_003095AB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_003096FD push ds; iretd	4_2_003096FE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00307CEA push eax; retf	4_2_00307EF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0358225F pushad ; ret	4_2_035827F9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035827FA pushad ; ret	4_2_035827F9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_035B09AD push ecx; mov dword ptr [esp], ecx	4_2_035B09B6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0358283D push eax; iretd	4_2_03582858
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0358135E push eax; iretd	4_2_03581369

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	File created: \purchase order for consumables eltra 008363725_9645364782_1197653623_836652746_22994644.exe
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	File created: \purchase order for consumables eltra 008363725_9645364782_1197653623_836652746_22994644.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE4

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F8F98E
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_01001C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01001C41

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 2A59904 second address: 2A5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 2A59B7E second address: 2A59B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2998	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6950	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Window / User API: threadDelayed 6539	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Window / User API: threadDelayed 3428	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\WWAHost.exe	API coverage: 0.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5788	Thread sleep count: 2998 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5788	Thread sleep time: -5996000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5788	Thread sleep count: 6950 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5788	Thread sleep time: -13900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7112	Thread sleep count: 6539 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7112	Thread sleep time: -13078000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7112	Thread sleep count: 3428 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7112	Thread sleep time: -6856000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0034B120 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esi+000000a4h], 03h and CTI: je 00371D18h		4_2_0034B120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_00329760 GetSystemTimeAsFileTime followed by cmp: cmp al, 01h and CTI: jne 00329886h		4_2_00329760

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FDDBBE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FAC2A2 FindFirstFileExW,	0_2_00FAC2A2
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE68EE FindFirstFileW,FindClose,	0_2_00FE68EE
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FE698F
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD076
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD3A9
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE9642
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE979D
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FE9B2B
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FE5C97
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0035212C memset,FindFirstFileW,FindClose,	4_2_0035212C

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: explorer.exe, 00000003.00000003.2983092250.000000000C3E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&00000
Source: explorer.exe, 00000003.00000002.3350454896.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000003.00000003.2979873676.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000002.3350454896.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000003.00000002.3359920361.000000000C420000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0J
Source: explorer.exe, 00000003.00000003.2979873676.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000003.00000002.3350454896.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000003.00000003.2983092250.000000000C3E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef
Source: explorer.exe, 00000003.00000002.3346181735.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3350454896.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2092355402.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.3346181735.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000003.00000003.2983092250.000000000C3E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3348591148.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000003.2979873676.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000003.00000002.3346181735.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000003.2979873676.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000003.00000002.3346181735.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FEEAA2 BlockInput,

0_2_00FEEAA2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FA2622

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F94CE8 mov eax, dword ptr fs:[00000030h]	0_2_00F94CE8
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00EF3580 mov eax, dword ptr fs:[00000030h]	0_2_00EF3580
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00EF3520 mov eax, dword ptr fs:[00000030h]	0_2_00EF3520
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00EF1ED0 mov eax, dword ptr fs:[00000030h]	0_2_00EF1ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]	2_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03CD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]	2_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]	2_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]	2_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]	2_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]	2_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]	2_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]	2_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]	2_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]	2_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]	2_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]	2_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]	2_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]	2_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]	2_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]	2_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]	2_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]	2_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]	2_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]	2_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]	2_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]	2_2_03CC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]	2_2_03CD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]	2_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03CE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]	2_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]	2_2_03CBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]	2_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]	2_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]	2_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]	2_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]	2_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]	2_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]	2_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]	2_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]	2_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]	2_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]	2_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]	2_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]	2_2_03C66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]	2_2_03C68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]	2_2_03C3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]	2_2_03C365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]	2_2_03C325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]	2_2_03C64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]	2_2_03C6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]	2_2_03CC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03C304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]	2_2_03CEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]	2_2_03C364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03C644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]	2_2_03CEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]	2_2_03C2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]	2_2_03C5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]	2_2_03CBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]	2_2_03C2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]	2_2_03C6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03CD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]	2_2_03CDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03C2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]	2_2_03D04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]	2_2_03C68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03C86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]	2_2_03CDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]	2_2_03CBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03CC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]	2_2_03C649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]	2_2_03CB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]	2_2_03CBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]	2_2_03CBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]	2_2_03CB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]	2_2_03CC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]	2_2_03C30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]	2_2_03CBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]	2_2_03C60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]	2_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]	2_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6870 mov eax, dword ptr fs:[00000030h]	2_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6870 mov eax, dword ptr fs:[00000030h]	2_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC810 mov eax, dword ptr fs:[00000030h]	2_2_03CBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov ecx, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A830 mov eax, dword ptr fs:[00000030h]	2_2_03C6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD483A mov eax, dword ptr fs:[00000030h]	2_2_03CD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD483A mov eax, dword ptr fs:[00000030h]	2_2_03CD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03C2EFD8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FD0B62

Enables debug privileges

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FA2622
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F9083F
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F909D5 SetUnhandledExceptionFilter,	0_2_00F909D5
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00F90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F90C21
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4_2_0034D470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0034D470

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.250.7.87 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.92 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4004			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 4004			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 300000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 30FA008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FD1201

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FB2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FB2BA5

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FDB226 SendInput,keybd_event,

0_2_00FDB226

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FF22DA

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FD0B62

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FD1663

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000002.3346658743.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2085922571.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe, explorer.exe, 00000003.00000000.2087273308.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3346658743.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.3346658743.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2085922571.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.2085668915.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3346181735.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000003.00000002.3346658743.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2085922571.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.2093568862.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3350905176.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2979873676.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F90698 cpuid

0_2_00F90698

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

0_2_00FE8195

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FCD27A GetUserNameW,

0_2_00FCD27A

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00FAB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00FAB952

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_81
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_XP
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_XPe
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_VISTA
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_7
Source: Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134027710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346411214.0000000002B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134242987.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346460276.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065972721.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3346288616.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134423414.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FF1204
Source: C:\Users\user\Desktop\Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Code function: 0_2_00FF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FF1806

Windows Analysis Report
Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1435817
Product:	CloudBasic
Start time:	09:13:05
Start date:	03.05.2024
Sample:	Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	943efcacb9b6e31fd1fb06603641f259
SHA1:	0556c77bab07dd97230df5ebff60b38298e79f25
SHA256:	99ad43415d3fce1de4b15b26893f60e126645f028602a7a0fff9432b99403433
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\aut4EA4.tmp	data	333F94A150B2C564959344CE16631FB7	67E01932E5EDEEDF77DD5068C2B1EF4914D3F6C5	878099B18C860DA50188C5A0FAE470548EE1914655EA6CE6EBB989C7F5F65682
C:\Users\user\AppData\Local\Temp\aut4F31.tmp	data	933CA3F9EF65BDC57CA9BCC10138EE6C	4166276E17E447D03FC46DB221F67C95B3743D46	EF5A0B9917D09CBFD0298B12DFF78FD9F99F808CB06D63596B8538045FF5CE3A
C:\Users\user\AppData\Local\Temp\definitization	data	19BD7C5716F6C2EE633917883F7A95C1	80F44CD4028C774C324B9493BE8CBCCAEE8A25CD	5E4E1539289F0B215E227206EB502570507F2057DA806DADE79B34189C2093F6
C:\Users\user\AppData\Local\Temp\underbalanced	ASCII text, with very long lines (29744), with no line terminators	90F635CB10220F430C96BD39CAC96CFA	597671543209C9FDFD755C4F0EFE829E12986C2A	5A8A0DDD6E4DC84D6E533BC7F380D3D4CF542139292E87E3415FCD8CB6A7B17C

Windows Analysis Report Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe

Malware Threat Intel
Provided by