Windows Analysis Report
1lAxaLKP7E.exe

AV Detection

Source: http://xred.site50.net/syn/SSLLibrary.dll

Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\._cache_svchost.exe

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\._cache_svchost.exe

ReversingLabs: Detection: 87%

Source: 1lAxaLKP7E.exe

ReversingLabs: Detection: 65%

Source: Yara match	File source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\._cache_svchost.exe

Joe Sandbox ML: detected

Source: 1lAxaLKP7E.exe

Joe Sandbox ML: detected

Compliance

Source: 1lAxaLKP7E.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr

Spreading

Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: svchost.exe	Binary or memory string: autorun.inf
Source: svchost.exe	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,		0_2_006DDBBE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E68EE FindFirstFileW,FindClose,		0_2_006E68EE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,		0_2_006E698F
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		0_2_006DD076
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		0_2_006DD3A9
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_006E9642
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_006E979D
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,		0_2_006E9B2B
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose,		0_2_006E5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,		1_2_004099E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		1_2_00406018
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409B1C FindFirstFileA,GetLastError,		1_2_00409B1C

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData			Jump to behavior

Networking

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006ECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_006ECE44

Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniH)
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloX
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=T
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006EEAFF

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_006EED6A

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006EEAFF

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00429040 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

1_2_00429040

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_006DAA57

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_00709576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00709576

Source: Yara match

File source: Process Memory Space: 1lAxaLKP7E.exe PID: 6700, type: MEMORYSTR

E-Banking Fraud

Source: Yara match	File source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: 1lAxaLKP7E.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 1lAxaLKP7E.exe, 00000000.00000000.1725274560.0000000000732000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_95e16eda-3
Source: 1lAxaLKP7E.exe, 00000000.00000000.1725274560.0000000000732000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_089325fa-6
Source: 1lAxaLKP7E.exe	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_b4728bad-d
Source: 1lAxaLKP7E.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_c48f032d-1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043F118 NtdllDefWindowProc_A,GetCapture,		1_2_0043F118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004598AC NtdllDefWindowProc_A,		1_2_004598AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,		1_2_0045A054
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,		1_2_0045A104
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,		1_2_0045E9EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,		1_2_0044EA40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F60C NtdllDefWindowProc_A,		1_2_0042F60C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0065C083 NtClose,		2_2_0065C083
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202B60 NtClose,LdrInitializeThunk,		2_2_01202B60
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202DF0 NtQuerySystemInformation,LdrInitializeThunk,		2_2_01202DF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202C70 NtFreeVirtualMemory,LdrInitializeThunk,		2_2_01202C70
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012035C0 NtCreateMutant,LdrInitializeThunk,		2_2_012035C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01204340 NtSetContextThread,		2_2_01204340
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01204650 NtSuspendThread,		2_2_01204650
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202BA0 NtEnumerateValueKey,		2_2_01202BA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202B80 NtQueryInformationFile,		2_2_01202B80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202BE0 NtQueryValueKey,		2_2_01202BE0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202BF0 NtAllocateVirtualMemory,		2_2_01202BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202AB0 NtWaitForSingleObject,		2_2_01202AB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202AF0 NtWriteFile,		2_2_01202AF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202AD0 NtReadFile,		2_2_01202AD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202D30 NtUnmapViewOfSection,		2_2_01202D30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202D00 NtSetInformationFile,		2_2_01202D00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202D10 NtMapViewOfSection,		2_2_01202D10
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202DB0 NtEnumerateKey,		2_2_01202DB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202DD0 NtDelayExecution,		2_2_01202DD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202C00 NtQueryInformationProcess,		2_2_01202C00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202C60 NtCreateKey,		2_2_01202C60
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202CA0 NtQueryInformationToken,		2_2_01202CA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202CF0 NtOpenProcess,		2_2_01202CF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202CC0 NtQueryVirtualMemory,		2_2_01202CC0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202F30 NtCreateSection,		2_2_01202F30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202F60 NtCreateProcessEx,		2_2_01202F60
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202FA0 NtQuerySection,		2_2_01202FA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202FB0 NtResumeThread,		2_2_01202FB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202F90 NtProtectVirtualMemory,		2_2_01202F90
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202FE0 NtCreateFile,		2_2_01202FE0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202E30 NtWriteVirtualMemory,		2_2_01202E30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202EA0 NtAdjustPrivilegesToken,		2_2_01202EA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202E80 NtReadVirtualMemory,		2_2_01202E80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202EE0 NtQueueApcThread,		2_2_01202EE0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01203010 NtOpenDirectoryObject,		2_2_01203010
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01203090 NtSetValueKey,		2_2_01203090
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012039B0 NtGetContextThread,		2_2_012039B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01203D10 NtOpenProcessToken,		2_2_01203D10
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01203D70 NtOpenThread,		2_2_01203D70

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_006DD5EB

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006D1201

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006DE8F6

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0067CAF0		0_2_0067CAF0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0067BF40		0_2_0067BF40
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00678060		0_2_00678060
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E2046		0_2_006E2046
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006D8298		0_2_006D8298
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006AE4FF		0_2_006AE4FF
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006A676B		0_2_006A676B
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00704873		0_2_00704873
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0069CAA0		0_2_0069CAA0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068CC39		0_2_0068CC39
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006A6DD9		0_2_006A6DD9
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068D065		0_2_0068D065
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068B119		0_2_0068B119
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006791C0		0_2_006791C0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00691394		0_2_00691394
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00691706		0_2_00691706
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0069781B		0_2_0069781B
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068997D		0_2_0068997D
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00677920		0_2_00677920
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006919B0		0_2_006919B0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00697A4A		0_2_00697A4A
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00691C77		0_2_00691C77
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00697CA7		0_2_00697CA7
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006FBE44		0_2_006FBE44
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006A9EEE		0_2_006A9EEE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00691F32		0_2_00691F32
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00CA35D0		0_2_00CA35D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004601F0		1_2_004601F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0046C7CC		1_2_0046C7CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0048C7F4		1_2_0048C7F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0044EA40		1_2_0044EA40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00496E18		1_2_00496E18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0046B1E4		1_2_0046B1E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045FCC8		1_2_0045FCC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00453DA4		1_2_00453DA4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631000		2_2_00631000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0063F8A3		2_2_0063F8A3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631130		2_2_00631130
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00646243		2_2_00646243
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0063FAC3		2_2_0063FAC3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631280		2_2_00631280
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0063DB43		2_2_0063DB43
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631BF7		2_2_00631BF7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00632420		2_2_00632420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631C00		2_2_00631C00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0065E6B3		2_2_0065E6B3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00632FA0		2_2_00632FA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0100		2_2_011C0100
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118		2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01258158		2_2_01258158
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012901AA		2_2_012901AA
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012881CC		2_2_012881CC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128A352		2_2_0128A352
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012903E6		2_2_012903E6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE3F0		2_2_011DE3F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012502C0		2_2_012502C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535		2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01290591		2_2_01290591
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274420		2_2_01274420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01282446		2_2_01282446
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127E4F6		2_2_0127E4F6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4750		2_2_011F4750
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CC7C0		2_2_011CC7C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EC6E0		2_2_011EC6E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E6962		2_2_011E6962
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0129A9A6		2_2_0129A9A6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DA840		2_2_011DA840
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D2840		2_2_011D2840
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B68B8		2_2_011B68B8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE8F0		2_2_011FE8F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128AB40		2_2_0128AB40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01286BD7		2_2_01286BD7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DAD00		2_2_011DAD00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126CD1F		2_2_0126CD1F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E8DBF		2_2_011E8DBF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CADE0		2_2_011CADE0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0C00		2_2_011D0C00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270CB5		2_2_01270CB5
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0CF2		2_2_011C0CF2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01212F28		2_2_01212F28
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01272F30		2_2_01272F30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F0F30		2_2_011F0F30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01244F40		2_2_01244F40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124EFA0		2_2_0124EFA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C2FC8		2_2_011C2FC8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128EE26		2_2_0128EE26
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0E59		2_2_011D0E59
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2E90		2_2_011E2E90
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128CE93		2_2_0128CE93
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128EEDB		2_2_0128EEDB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0129B16B		2_2_0129B16B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120516C		2_2_0120516C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BF172		2_2_011BF172
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DB1B0		2_2_011DB1B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012870E9		2_2_012870E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128F0E0		2_2_0128F0E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D70C0		2_2_011D70C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127F0CC		2_2_0127F0CC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128132D		2_2_0128132D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BD34C		2_2_011BD34C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0121739A		2_2_0121739A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D52A0		2_2_011D52A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012712ED		2_2_012712ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EB2C0		2_2_011EB2C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01287571		2_2_01287571
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126D5B0		2_2_0126D5B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128F43F		2_2_0128F43F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C1460		2_2_011C1460
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128F7B0		2_2_0128F7B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012816CC		2_2_012816CC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01265910		2_2_01265910
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D9950		2_2_011D9950
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EB950		2_2_011EB950
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123D800		2_2_0123D800
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D38E0		2_2_011D38E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FB76		2_2_0128FB76
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EFB80		2_2_011EFB80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01245BF0		2_2_01245BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120DBF9		2_2_0120DBF9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01243A6C		2_2_01243A6C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FA49		2_2_0128FA49
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01287A46		2_2_01287A46
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01215AA0		2_2_01215AA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01271AA3		2_2_01271AA3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126DAAC		2_2_0126DAAC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127DAC6		2_2_0127DAC6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01287D73		2_2_01287D73
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D3D40		2_2_011D3D40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01281D5A		2_2_01281D5A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EFDC0		2_2_011EFDC0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01249C32		2_2_01249C32
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FCF2		2_2_0128FCF2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FF09		2_2_0128FF09
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D1F92		2_2_011D1F92
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FFB1		2_2_0128FFB1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D9EB0		2_2_011D9EB0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0049058C appears 56 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004109E8 appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004049C0 appears 73 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004070F0 appears 81 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00404CCC appears 54 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 01205130 appears 58 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 0123EA12 appears 86 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 0124F290 appears 105 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 01217E54 appears 100 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 011BB970 appears 265 times
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: String function: 00690A30 appears 46 times
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: String function: 0068F9F2 appears 31 times

Source: ._cache_svchost.exe.1.dr

Static PE information: No import functions for PE file found

Source: 1lAxaLKP7E.exe, 00000000.00000003.1813235075.0000000003873000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 1lAxaLKP7E.exe
Source: 1lAxaLKP7E.exe, 00000000.00000003.1814350551.0000000003B2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 1lAxaLKP7E.exe
Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 1lAxaLKP7E.exe
Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs 1lAxaLKP7E.exe

Source: 1lAxaLKP7E.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: ._cache_svchost.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ._cache_svchost.exe.1.dr

Static PE information: Section .text

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/6@0/0

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006E37B5 GetLastError,FormatMessageW,

0_2_006E37B5

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006D10BF AdjustTokenPrivileges,CloseHandle,		0_2_006D10BF
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006D16C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,		1_2_00475958

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006E51CD

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_006FA67C

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_006E648E

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006742A2

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\Desktop\._cache_svchost.exe

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

File created: C:\Users\user\AppData\Local\Temp\aut6951.tmp

Jump to behavior

Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: 1lAxaLKP7E.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1lAxaLKP7E.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\1lAxaLKP7E.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\Desktop\._cache_svchost.exe "C:\Users\user\Desktop\._cache_svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\Desktop\._cache_svchost.exe "C:\Users\user\Desktop\._cache_svchost.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate			Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: twext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntshrui.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.fileexplorer.common.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shacct.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: idstore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: starttiledata.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: acppage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: aepic.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wlidprov.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: provsvc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: twext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntshrui.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: starttiledata.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: acppage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: aepic.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\Desktop\._cache_svchost.exe	Section loaded: apphelp.dll			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1lAxaLKP7E.exe

Static file information: File size 1904640 > 1048576

Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1lAxaLKP7E.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr

Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006742DE

Source: Synaptics.exe.1.dr

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00690A76 push ecx; ret		0_2_00690A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00446564 push 004465F1h; ret		1_2_004465E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406B3C push 00406B8Dh; ret		1_2_00406B85
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00478CB0 push 00478D2Dh; ret		1_2_00478D25
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00422044 push ecx; mov dword ptr [esp], edx		1_2_00422049
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E010 push 0042E03Ch; ret		1_2_0042E034
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0046C0B0 push ecx; mov dword ptr [esp], eax		1_2_0046C0B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004761F8 push 0047623Bh; ret		1_2_00476233
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0049419C push 004941CFh; ret		1_2_004941C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E1BC push 0042E1E8h; ret		1_2_0042E1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00480210 push 0048023Ch; ret		1_2_00480234
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004842DC push 00484308h; ret		1_2_00484300
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0048036C push 00480398h; ret		1_2_00480390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C3D0 push 0042C3FCh; ret		1_2_0042C3F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432468 push 004324B4h; ret		1_2_004324AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00486408 push 004864ADh; ret		1_2_004864A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0047C404 push 0047C430h; ret		1_2_0047C428
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432404 push 00432447h; ret		1_2_0043243F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004324C0 push 0043250Bh; ret		1_2_00432503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C4C4 push 0042C4F0h; ret		1_2_0042C4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004464FC push 00446562h; ret		1_2_0044655A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00490554 push 00490580h; ret		1_2_00490578
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0047A514 push 0047A540h; ret		1_2_0047A538
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432518 push 00432544h; ret		1_2_0043253C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00496530 push 00496586h; ret		1_2_0049657E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0048859C push 004885DEh; ret		1_2_004885D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432650 push 004326C6h; ret		1_2_004326BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0049A6BC push 0049A745h; ret		1_2_0049A73D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00480744 push 00480770h; ret		1_2_00480768
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0049A750 push 0049A776h; ret		1_2_0049A76E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0048077C push 004807A8h; ret		1_2_004807A0

Source: ._cache_svchost.exe.1.dr

Static PE information: section name: .text entropy: 7.99501507091198

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\Desktop\._cache_svchost.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\ProgramData\Synaptics\Synaptics.exe

Jump to dropped file

Boot Survival

Source: C:\Windows\SysWOW64\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0068F98E
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00701C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00701C41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,		1_2_00459934
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,		1_2_0045A054
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,		1_2_0045A104
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,		1_2_0042C6FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0044083C IsIconic,GetCapture,		1_2_0044083C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,		1_2_0045695C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,		1_2_004410F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,		1_2_00441A14

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0042E3B4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0042E3B4

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00435BD4

1_2_00435BD4

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

API/Special instruction interceptor: Address: CA31F4

Source: C:\Users\user\Desktop\._cache_svchost.exe

Code function: 2_2_0120096E rdtsc

2_2_0120096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

1_2_00458EA4

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	API coverage: 4.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 7.3 %
Source: C:\Users\user\Desktop\._cache_svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00435BD4

1_2_00435BD4

Source: C:\Users\user\Desktop\._cache_svchost.exe TID: 7036

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,		0_2_006DDBBE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E68EE FindFirstFileW,FindClose,		0_2_006E68EE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,		0_2_006E698F
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		0_2_006DD076
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		0_2_006DD3A9
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_006E9642
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_006E979D
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,		0_2_006E9B2B
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose,		0_2_006E5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,		1_2_004099E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		1_2_00406018
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409B1C FindFirstFileA,GetLastError,		1_2_00409B1C

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006742DE

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData			Jump to behavior

Source: svchost.exe, 00000001.00000002.1824644371.0000000003061000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\._cache_svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\._cache_svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\._cache_svchost.exe

Code function: 2_2_0120096E rdtsc

2_2_0120096E

Source: C:\Users\user\Desktop\._cache_svchost.exe

Code function: 2_2_006471F3 LdrLoadDll,

2_2_006471F3

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006EEAA2 BlockInput,

0_2_006EEAA2

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006A2622

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006742DE

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00694CE8 mov eax, dword ptr fs:[00000030h]		0_2_00694CE8
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00CA34C0 mov eax, dword ptr fs:[00000030h]		0_2_00CA34C0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00CA3460 mov eax, dword ptr fs:[00000030h]		0_2_00CA3460
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00CA1E70 mov eax, dword ptr fs:[00000030h]		0_2_00CA1E70
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov ecx, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov ecx, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov ecx, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov ecx, dword ptr fs:[00000030h]		2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F0124 mov eax, dword ptr fs:[00000030h]		2_2_011F0124
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01280115 mov eax, dword ptr fs:[00000030h]		2_2_01280115
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118 mov ecx, dword ptr fs:[00000030h]		2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118 mov eax, dword ptr fs:[00000030h]		2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118 mov eax, dword ptr fs:[00000030h]		2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118 mov eax, dword ptr fs:[00000030h]		2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6154 mov eax, dword ptr fs:[00000030h]		2_2_011C6154
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6154 mov eax, dword ptr fs:[00000030h]		2_2_011C6154
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC156 mov eax, dword ptr fs:[00000030h]		2_2_011BC156
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov eax, dword ptr fs:[00000030h]		2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov eax, dword ptr fs:[00000030h]		2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov ecx, dword ptr fs:[00000030h]		2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov eax, dword ptr fs:[00000030h]		2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov eax, dword ptr fs:[00000030h]		2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01258158 mov eax, dword ptr fs:[00000030h]		2_2_01258158
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA197 mov eax, dword ptr fs:[00000030h]		2_2_011BA197
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA197 mov eax, dword ptr fs:[00000030h]		2_2_011BA197
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA197 mov eax, dword ptr fs:[00000030h]		2_2_011BA197
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01200185 mov eax, dword ptr fs:[00000030h]		2_2_01200185
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01264180 mov eax, dword ptr fs:[00000030h]		2_2_01264180
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01264180 mov eax, dword ptr fs:[00000030h]		2_2_01264180
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127C188 mov eax, dword ptr fs:[00000030h]		2_2_0127C188
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127C188 mov eax, dword ptr fs:[00000030h]		2_2_0127C188
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124019F mov eax, dword ptr fs:[00000030h]		2_2_0124019F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124019F mov eax, dword ptr fs:[00000030h]		2_2_0124019F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124019F mov eax, dword ptr fs:[00000030h]		2_2_0124019F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124019F mov eax, dword ptr fs:[00000030h]		2_2_0124019F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012961E5 mov eax, dword ptr fs:[00000030h]		2_2_012961E5
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F01F8 mov eax, dword ptr fs:[00000030h]		2_2_011F01F8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012861C3 mov eax, dword ptr fs:[00000030h]		2_2_012861C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012861C3 mov eax, dword ptr fs:[00000030h]		2_2_012861C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov eax, dword ptr fs:[00000030h]		2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov eax, dword ptr fs:[00000030h]		2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov ecx, dword ptr fs:[00000030h]		2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov eax, dword ptr fs:[00000030h]		2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov eax, dword ptr fs:[00000030h]		2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE016 mov eax, dword ptr fs:[00000030h]		2_2_011DE016
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE016 mov eax, dword ptr fs:[00000030h]		2_2_011DE016
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE016 mov eax, dword ptr fs:[00000030h]		2_2_011DE016
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE016 mov eax, dword ptr fs:[00000030h]		2_2_011DE016
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256030 mov eax, dword ptr fs:[00000030h]		2_2_01256030
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01244000 mov ecx, dword ptr fs:[00000030h]		2_2_01244000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]		2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA020 mov eax, dword ptr fs:[00000030h]		2_2_011BA020
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC020 mov eax, dword ptr fs:[00000030h]		2_2_011BC020
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C2050 mov eax, dword ptr fs:[00000030h]		2_2_011C2050
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EC073 mov eax, dword ptr fs:[00000030h]		2_2_011EC073
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246050 mov eax, dword ptr fs:[00000030h]		2_2_01246050
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012580A8 mov eax, dword ptr fs:[00000030h]		2_2_012580A8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012860B8 mov eax, dword ptr fs:[00000030h]		2_2_012860B8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012860B8 mov ecx, dword ptr fs:[00000030h]		2_2_012860B8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C208A mov eax, dword ptr fs:[00000030h]		2_2_011C208A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012460E0 mov eax, dword ptr fs:[00000030h]		2_2_012460E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012020F0 mov ecx, dword ptr fs:[00000030h]		2_2_012020F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC0F0 mov eax, dword ptr fs:[00000030h]		2_2_011BC0F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C80E9 mov eax, dword ptr fs:[00000030h]		2_2_011C80E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA0E3 mov ecx, dword ptr fs:[00000030h]		2_2_011BA0E3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012420DE mov eax, dword ptr fs:[00000030h]		2_2_012420DE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC310 mov ecx, dword ptr fs:[00000030h]		2_2_011BC310
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E0310 mov ecx, dword ptr fs:[00000030h]		2_2_011E0310
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA30B mov eax, dword ptr fs:[00000030h]		2_2_011FA30B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA30B mov eax, dword ptr fs:[00000030h]		2_2_011FA30B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA30B mov eax, dword ptr fs:[00000030h]		2_2_011FA30B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126437C mov eax, dword ptr fs:[00000030h]		2_2_0126437C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]		2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01268350 mov ecx, dword ptr fs:[00000030h]		2_2_01268350
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]		2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]		2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]		2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov ecx, dword ptr fs:[00000030h]		2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]		2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]		2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128A352 mov eax, dword ptr fs:[00000030h]		2_2_0128A352
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8397 mov eax, dword ptr fs:[00000030h]		2_2_011B8397
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8397 mov eax, dword ptr fs:[00000030h]		2_2_011B8397
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8397 mov eax, dword ptr fs:[00000030h]		2_2_011B8397
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E438F mov eax, dword ptr fs:[00000030h]		2_2_011E438F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E438F mov eax, dword ptr fs:[00000030h]		2_2_011E438F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE388 mov eax, dword ptr fs:[00000030h]		2_2_011BE388
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE388 mov eax, dword ptr fs:[00000030h]		2_2_011BE388
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE388 mov eax, dword ptr fs:[00000030h]		2_2_011BE388
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]		2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]		2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]		2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]		2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]		2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]		2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C83C0 mov eax, dword ptr fs:[00000030h]		2_2_011C83C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C83C0 mov eax, dword ptr fs:[00000030h]		2_2_011C83C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C83C0 mov eax, dword ptr fs:[00000030h]		2_2_011C83C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C83C0 mov eax, dword ptr fs:[00000030h]		2_2_011C83C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F63FF mov eax, dword ptr fs:[00000030h]		2_2_011F63FF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012463C0 mov eax, dword ptr fs:[00000030h]		2_2_012463C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127C3CD mov eax, dword ptr fs:[00000030h]		2_2_0127C3CD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE3F0 mov eax, dword ptr fs:[00000030h]		2_2_011DE3F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE3F0 mov eax, dword ptr fs:[00000030h]		2_2_011DE3F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE3F0 mov eax, dword ptr fs:[00000030h]		2_2_011DE3F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012643D4 mov eax, dword ptr fs:[00000030h]		2_2_012643D4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012643D4 mov eax, dword ptr fs:[00000030h]		2_2_012643D4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]		2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]		2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]		2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]		2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]		2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]		2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]		2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]		2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E3DB mov eax, dword ptr fs:[00000030h]		2_2_0126E3DB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E3DB mov eax, dword ptr fs:[00000030h]		2_2_0126E3DB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E3DB mov ecx, dword ptr fs:[00000030h]		2_2_0126E3DB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E3DB mov eax, dword ptr fs:[00000030h]		2_2_0126E3DB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B823B mov eax, dword ptr fs:[00000030h]		2_2_011B823B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6259 mov eax, dword ptr fs:[00000030h]		2_2_011C6259
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA250 mov eax, dword ptr fs:[00000030h]		2_2_011BA250
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]		2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01248243 mov eax, dword ptr fs:[00000030h]		2_2_01248243
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01248243 mov ecx, dword ptr fs:[00000030h]		2_2_01248243
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B826B mov eax, dword ptr fs:[00000030h]		2_2_011B826B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127A250 mov eax, dword ptr fs:[00000030h]		2_2_0127A250
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127A250 mov eax, dword ptr fs:[00000030h]		2_2_0127A250
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4260 mov eax, dword ptr fs:[00000030h]		2_2_011C4260
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4260 mov eax, dword ptr fs:[00000030h]		2_2_011C4260
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4260 mov eax, dword ptr fs:[00000030h]		2_2_011C4260
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]		2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov ecx, dword ptr fs:[00000030h]		2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]		2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]		2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]		2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]		2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE284 mov eax, dword ptr fs:[00000030h]		2_2_011FE284
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE284 mov eax, dword ptr fs:[00000030h]		2_2_011FE284
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01240283 mov eax, dword ptr fs:[00000030h]		2_2_01240283
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01240283 mov eax, dword ptr fs:[00000030h]		2_2_01240283
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01240283 mov eax, dword ptr fs:[00000030h]		2_2_01240283
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02A0 mov eax, dword ptr fs:[00000030h]		2_2_011D02A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02A0 mov eax, dword ptr fs:[00000030h]		2_2_011D02A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]		2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]		2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]		2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]		2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]		2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02E1 mov eax, dword ptr fs:[00000030h]		2_2_011D02E1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02E1 mov eax, dword ptr fs:[00000030h]		2_2_011D02E1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02E1 mov eax, dword ptr fs:[00000030h]		2_2_011D02E1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]		2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]		2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]		2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]		2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]		2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256500 mov eax, dword ptr fs:[00000030h]		2_2_01256500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]		2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]		2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]		2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]		2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]		2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]		2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]		2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]		2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]		2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]		2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]		2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]		2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]		2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8550 mov eax, dword ptr fs:[00000030h]		2_2_011C8550
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8550 mov eax, dword ptr fs:[00000030h]		2_2_011C8550
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F656A mov eax, dword ptr fs:[00000030h]		2_2_011F656A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F656A mov eax, dword ptr fs:[00000030h]		2_2_011F656A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F656A mov eax, dword ptr fs:[00000030h]		2_2_011F656A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE59C mov eax, dword ptr fs:[00000030h]		2_2_011FE59C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012405A7 mov eax, dword ptr fs:[00000030h]		2_2_012405A7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012405A7 mov eax, dword ptr fs:[00000030h]		2_2_012405A7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012405A7 mov eax, dword ptr fs:[00000030h]		2_2_012405A7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4588 mov eax, dword ptr fs:[00000030h]		2_2_011F4588
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C2582 mov eax, dword ptr fs:[00000030h]		2_2_011C2582
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C2582 mov ecx, dword ptr fs:[00000030h]		2_2_011C2582
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E45B1 mov eax, dword ptr fs:[00000030h]		2_2_011E45B1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E45B1 mov eax, dword ptr fs:[00000030h]		2_2_011E45B1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C65D0 mov eax, dword ptr fs:[00000030h]		2_2_011C65D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA5D0 mov eax, dword ptr fs:[00000030h]		2_2_011FA5D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA5D0 mov eax, dword ptr fs:[00000030h]		2_2_011FA5D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE5CF mov eax, dword ptr fs:[00000030h]		2_2_011FE5CF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE5CF mov eax, dword ptr fs:[00000030h]		2_2_011FE5CF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC5ED mov eax, dword ptr fs:[00000030h]		2_2_011FC5ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC5ED mov eax, dword ptr fs:[00000030h]		2_2_011FC5ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]		2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]		2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]		2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]		2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]		2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]		2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]		2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]		2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C25E0 mov eax, dword ptr fs:[00000030h]		2_2_011C25E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]		2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]		2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]		2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]		2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]		2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]		2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]		2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8402 mov eax, dword ptr fs:[00000030h]		2_2_011F8402
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8402 mov eax, dword ptr fs:[00000030h]		2_2_011F8402
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8402 mov eax, dword ptr fs:[00000030h]		2_2_011F8402
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA430 mov eax, dword ptr fs:[00000030h]		2_2_011FA430
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE420 mov eax, dword ptr fs:[00000030h]		2_2_011BE420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE420 mov eax, dword ptr fs:[00000030h]		2_2_011BE420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE420 mov eax, dword ptr fs:[00000030h]		2_2_011BE420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC427 mov eax, dword ptr fs:[00000030h]		2_2_011BC427
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E245A mov eax, dword ptr fs:[00000030h]		2_2_011E245A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C460 mov ecx, dword ptr fs:[00000030h]		2_2_0124C460
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B645D mov eax, dword ptr fs:[00000030h]		2_2_011B645D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]		2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]		2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]		2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]		2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]		2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]		2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]		2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]		2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EA470 mov eax, dword ptr fs:[00000030h]		2_2_011EA470
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EA470 mov eax, dword ptr fs:[00000030h]		2_2_011EA470
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EA470 mov eax, dword ptr fs:[00000030h]		2_2_011EA470
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127A456 mov eax, dword ptr fs:[00000030h]		2_2_0127A456
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124A4B0 mov eax, dword ptr fs:[00000030h]		2_2_0124A4B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F44B0 mov ecx, dword ptr fs:[00000030h]		2_2_011F44B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C64AB mov eax, dword ptr fs:[00000030h]		2_2_011C64AB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127A49A mov eax, dword ptr fs:[00000030h]		2_2_0127A49A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C04E5 mov ecx, dword ptr fs:[00000030h]		2_2_011C04E5
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0710 mov eax, dword ptr fs:[00000030h]		2_2_011C0710
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F0710 mov eax, dword ptr fs:[00000030h]		2_2_011F0710
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123C730 mov eax, dword ptr fs:[00000030h]		2_2_0123C730
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC700 mov eax, dword ptr fs:[00000030h]		2_2_011FC700
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F273C mov eax, dword ptr fs:[00000030h]		2_2_011F273C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F273C mov ecx, dword ptr fs:[00000030h]		2_2_011F273C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F273C mov eax, dword ptr fs:[00000030h]		2_2_011F273C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC720 mov eax, dword ptr fs:[00000030h]		2_2_011FC720
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC720 mov eax, dword ptr fs:[00000030h]		2_2_011FC720
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0750 mov eax, dword ptr fs:[00000030h]		2_2_011C0750
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F674D mov esi, dword ptr fs:[00000030h]		2_2_011F674D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F674D mov eax, dword ptr fs:[00000030h]		2_2_011F674D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F674D mov eax, dword ptr fs:[00000030h]		2_2_011F674D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8770 mov eax, dword ptr fs:[00000030h]		2_2_011C8770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]		2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202750 mov eax, dword ptr fs:[00000030h]		2_2_01202750
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202750 mov eax, dword ptr fs:[00000030h]		2_2_01202750
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01244755 mov eax, dword ptr fs:[00000030h]		2_2_01244755
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E75D mov eax, dword ptr fs:[00000030h]		2_2_0124E75D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012747A0 mov eax, dword ptr fs:[00000030h]		2_2_012747A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126678E mov eax, dword ptr fs:[00000030h]		2_2_0126678E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C07AF mov eax, dword ptr fs:[00000030h]		2_2_011C07AF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E7E1 mov eax, dword ptr fs:[00000030h]		2_2_0124E7E1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CC7C0 mov eax, dword ptr fs:[00000030h]		2_2_011CC7C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C47FB mov eax, dword ptr fs:[00000030h]		2_2_011C47FB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C47FB mov eax, dword ptr fs:[00000030h]		2_2_011C47FB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012407C3 mov eax, dword ptr fs:[00000030h]		2_2_012407C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E27ED mov eax, dword ptr fs:[00000030h]		2_2_011E27ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E27ED mov eax, dword ptr fs:[00000030h]		2_2_011E27ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E27ED mov eax, dword ptr fs:[00000030h]		2_2_011E27ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]		2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]		2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]		2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]		2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]		2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]		2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]		2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E609 mov eax, dword ptr fs:[00000030h]		2_2_0123E609
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C262C mov eax, dword ptr fs:[00000030h]		2_2_011C262C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202619 mov eax, dword ptr fs:[00000030h]		2_2_01202619
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE627 mov eax, dword ptr fs:[00000030h]		2_2_011DE627
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F6620 mov eax, dword ptr fs:[00000030h]		2_2_011F6620
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8620 mov eax, dword ptr fs:[00000030h]		2_2_011F8620
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128866E mov eax, dword ptr fs:[00000030h]		2_2_0128866E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128866E mov eax, dword ptr fs:[00000030h]		2_2_0128866E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DC640 mov eax, dword ptr fs:[00000030h]		2_2_011DC640
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F2674 mov eax, dword ptr fs:[00000030h]		2_2_011F2674
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA660 mov eax, dword ptr fs:[00000030h]		2_2_011FA660
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA660 mov eax, dword ptr fs:[00000030h]		2_2_011FA660
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4690 mov eax, dword ptr fs:[00000030h]		2_2_011C4690
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4690 mov eax, dword ptr fs:[00000030h]		2_2_011C4690
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F66B0 mov eax, dword ptr fs:[00000030h]		2_2_011F66B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC6A6 mov eax, dword ptr fs:[00000030h]		2_2_011FC6A6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E6F2 mov eax, dword ptr fs:[00000030h]		2_2_0123E6F2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E6F2 mov eax, dword ptr fs:[00000030h]		2_2_0123E6F2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E6F2 mov eax, dword ptr fs:[00000030h]		2_2_0123E6F2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E6F2 mov eax, dword ptr fs:[00000030h]		2_2_0123E6F2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012406F1 mov eax, dword ptr fs:[00000030h]		2_2_012406F1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012406F1 mov eax, dword ptr fs:[00000030h]		2_2_012406F1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA6C7 mov ebx, dword ptr fs:[00000030h]		2_2_011FA6C7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA6C7 mov eax, dword ptr fs:[00000030h]		2_2_011FA6C7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8918 mov eax, dword ptr fs:[00000030h]		2_2_011B8918
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8918 mov eax, dword ptr fs:[00000030h]		2_2_011B8918
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124892A mov eax, dword ptr fs:[00000030h]		2_2_0124892A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0125892B mov eax, dword ptr fs:[00000030h]		2_2_0125892B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E908 mov eax, dword ptr fs:[00000030h]		2_2_0123E908
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E908 mov eax, dword ptr fs:[00000030h]		2_2_0123E908
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C912 mov eax, dword ptr fs:[00000030h]		2_2_0124C912
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120096E mov eax, dword ptr fs:[00000030h]		2_2_0120096E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120096E mov edx, dword ptr fs:[00000030h]		2_2_0120096E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120096E mov eax, dword ptr fs:[00000030h]		2_2_0120096E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C97C mov eax, dword ptr fs:[00000030h]		2_2_0124C97C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01264978 mov eax, dword ptr fs:[00000030h]		2_2_01264978
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01264978 mov eax, dword ptr fs:[00000030h]		2_2_01264978
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01240946 mov eax, dword ptr fs:[00000030h]		2_2_01240946
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E6962 mov eax, dword ptr fs:[00000030h]		2_2_011E6962
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E6962 mov eax, dword ptr fs:[00000030h]		2_2_011E6962
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E6962 mov eax, dword ptr fs:[00000030h]		2_2_011E6962
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012489B3 mov esi, dword ptr fs:[00000030h]		2_2_012489B3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012489B3 mov eax, dword ptr fs:[00000030h]		2_2_012489B3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012489B3 mov eax, dword ptr fs:[00000030h]		2_2_012489B3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C09AD mov eax, dword ptr fs:[00000030h]		2_2_011C09AD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C09AD mov eax, dword ptr fs:[00000030h]		2_2_011C09AD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]		2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E9E0 mov eax, dword ptr fs:[00000030h]		2_2_0124E9E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]		2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]		2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]		2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]		2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]		2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]		2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F49D0 mov eax, dword ptr fs:[00000030h]		2_2_011F49D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012569C0 mov eax, dword ptr fs:[00000030h]		2_2_012569C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F29F9 mov eax, dword ptr fs:[00000030h]		2_2_011F29F9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F29F9 mov eax, dword ptr fs:[00000030h]		2_2_011F29F9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128A9D3 mov eax, dword ptr fs:[00000030h]		2_2_0128A9D3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126483A mov eax, dword ptr fs:[00000030h]		2_2_0126483A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126483A mov eax, dword ptr fs:[00000030h]		2_2_0126483A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]		2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]		2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]		2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov ecx, dword ptr fs:[00000030h]		2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]		2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]		2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA830 mov eax, dword ptr fs:[00000030h]		2_2_011FA830
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C810 mov eax, dword ptr fs:[00000030h]		2_2_0124C810
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4859 mov eax, dword ptr fs:[00000030h]		2_2_011C4859
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4859 mov eax, dword ptr fs:[00000030h]		2_2_011C4859
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F0854 mov eax, dword ptr fs:[00000030h]		2_2_011F0854
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256870 mov eax, dword ptr fs:[00000030h]		2_2_01256870
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256870 mov eax, dword ptr fs:[00000030h]		2_2_01256870
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E872 mov eax, dword ptr fs:[00000030h]		2_2_0124E872
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E872 mov eax, dword ptr fs:[00000030h]		2_2_0124E872
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D2840 mov ecx, dword ptr fs:[00000030h]		2_2_011D2840
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0887 mov eax, dword ptr fs:[00000030h]		2_2_011C0887
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C89D mov eax, dword ptr fs:[00000030h]		2_2_0124C89D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128A8E4 mov eax, dword ptr fs:[00000030h]		2_2_0128A8E4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE8C0 mov eax, dword ptr fs:[00000030h]		2_2_011EE8C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC8F9 mov eax, dword ptr fs:[00000030h]		2_2_011FC8F9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC8F9 mov eax, dword ptr fs:[00000030h]		2_2_011FC8F9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01288B28 mov eax, dword ptr fs:[00000030h]		2_2_01288B28
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01288B28 mov eax, dword ptr fs:[00000030h]		2_2_01288B28
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]		2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EEB20 mov eax, dword ptr fs:[00000030h]		2_2_011EEB20
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EEB20 mov eax, dword ptr fs:[00000030h]		2_2_011EEB20
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01268B42 mov eax, dword ptr fs:[00000030h]		2_2_01268B42
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256B40 mov eax, dword ptr fs:[00000030h]		2_2_01256B40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256B40 mov eax, dword ptr fs:[00000030h]		2_2_01256B40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BCB7E mov eax, dword ptr fs:[00000030h]		2_2_011BCB7E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128AB40 mov eax, dword ptr fs:[00000030h]		2_2_0128AB40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274B4B mov eax, dword ptr fs:[00000030h]		2_2_01274B4B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274B4B mov eax, dword ptr fs:[00000030h]		2_2_01274B4B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126EB50 mov eax, dword ptr fs:[00000030h]		2_2_0126EB50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274BB0 mov eax, dword ptr fs:[00000030h]		2_2_01274BB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274BB0 mov eax, dword ptr fs:[00000030h]		2_2_01274BB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0BBE mov eax, dword ptr fs:[00000030h]		2_2_011D0BBE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0BBE mov eax, dword ptr fs:[00000030h]		2_2_011D0BBE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0BCD mov eax, dword ptr fs:[00000030h]		2_2_011C0BCD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0BCD mov eax, dword ptr fs:[00000030h]		2_2_011C0BCD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0BCD mov eax, dword ptr fs:[00000030h]		2_2_011C0BCD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124CBF0 mov eax, dword ptr fs:[00000030h]		2_2_0124CBF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E0BCB mov eax, dword ptr fs:[00000030h]		2_2_011E0BCB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E0BCB mov eax, dword ptr fs:[00000030h]		2_2_011E0BCB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E0BCB mov eax, dword ptr fs:[00000030h]		2_2_011E0BCB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EEBFC mov eax, dword ptr fs:[00000030h]		2_2_011EEBFC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8BF0 mov eax, dword ptr fs:[00000030h]		2_2_011C8BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8BF0 mov eax, dword ptr fs:[00000030h]		2_2_011C8BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8BF0 mov eax, dword ptr fs:[00000030h]		2_2_011C8BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126EBD0 mov eax, dword ptr fs:[00000030h]		2_2_0126EBD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA38 mov eax, dword ptr fs:[00000030h]		2_2_011FCA38
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E4A35 mov eax, dword ptr fs:[00000030h]		2_2_011E4A35
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E4A35 mov eax, dword ptr fs:[00000030h]		2_2_011E4A35
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EEA2E mov eax, dword ptr fs:[00000030h]		2_2_011EEA2E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124CA11 mov eax, dword ptr fs:[00000030h]		2_2_0124CA11
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA24 mov eax, dword ptr fs:[00000030h]		2_2_011FCA24
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0A5B mov eax, dword ptr fs:[00000030h]		2_2_011D0A5B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0A5B mov eax, dword ptr fs:[00000030h]		2_2_011D0A5B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126EA60 mov eax, dword ptr fs:[00000030h]		2_2_0126EA60
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]		2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]		2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]		2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]		2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]		2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]		2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]		2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123CA72 mov eax, dword ptr fs:[00000030h]		2_2_0123CA72
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123CA72 mov eax, dword ptr fs:[00000030h]		2_2_0123CA72
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA6F mov eax, dword ptr fs:[00000030h]		2_2_011FCA6F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA6F mov eax, dword ptr fs:[00000030h]		2_2_011FCA6F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA6F mov eax, dword ptr fs:[00000030h]		2_2_011FCA6F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01216AA4 mov eax, dword ptr fs:[00000030h]		2_2_01216AA4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8A90 mov edx, dword ptr fs:[00000030h]		2_2_011F8A90
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]		2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294A80 mov eax, dword ptr fs:[00000030h]		2_2_01294A80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8AA0 mov eax, dword ptr fs:[00000030h]		2_2_011C8AA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8AA0 mov eax, dword ptr fs:[00000030h]		2_2_011C8AA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0AD0 mov eax, dword ptr fs:[00000030h]		2_2_011C0AD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4AD0 mov eax, dword ptr fs:[00000030h]		2_2_011F4AD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4AD0 mov eax, dword ptr fs:[00000030h]		2_2_011F4AD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01216ACC mov eax, dword ptr fs:[00000030h]		2_2_01216ACC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01216ACC mov eax, dword ptr fs:[00000030h]		2_2_01216ACC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01216ACC mov eax, dword ptr fs:[00000030h]		2_2_01216ACC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FAAEE mov eax, dword ptr fs:[00000030h]		2_2_011FAAEE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FAAEE mov eax, dword ptr fs:[00000030h]		2_2_011FAAEE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4D1D mov eax, dword ptr fs:[00000030h]		2_2_011F4D1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01248D20 mov eax, dword ptr fs:[00000030h]		2_2_01248D20
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B6D10 mov eax, dword ptr fs:[00000030h]		2_2_011B6D10

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_006D0B62

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_006A2622
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0069083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0069083F
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006909D5 SetUnhandledExceptionFilter,		0_2_006909D5
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00690C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00690C21

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A25008

Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006D1201

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006B2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006B2BA5

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006DB226 SendInput,keybd_event,

0_2_006DB226

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006F22DA

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\Desktop\._cache_svchost.exe "C:\Users\user\Desktop\._cache_svchost.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate			Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_006D0B62

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006D1663

Source: 1lAxaLKP7E.exe	Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 1lAxaLKP7E.exe	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_00690698 cpuid

0_2_00690698

Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,		1_2_004061D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,GetACP,		1_2_0040E088
Source: C:\Windows\SysWOW64\svchost.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,		1_2_004062DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,		1_2_0040C964
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,		1_2_0040C9B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,		1_2_00406AC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,		1_2_00406AC8

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_006E8195

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006CD27A GetUserNameW,

0_2_006CD27A

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006ABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006ABB6F

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006742DE

Stealing of Sensitive Information

Source: Yara match	File source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1lAxaLKP7E.exe PID: 6700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6888, type: MEMORYSTR

Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_81
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_XP
Source: 1lAxaLKP7E.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_XPe
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_VISTA
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_7
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_8

Remote Access Functionality

Source: Yara match	File source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1lAxaLKP7E.exe PID: 6700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6888, type: MEMORYSTR

Source: C:\Windows\SysWOW64\svchost.exe

Code function: cmd.exe /C

1_2_00475384

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_006F1204
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_006F1806