Windows Analysis Report
1lAxaLKP7E.exe

AI detected suspicious sample

Source: Yara match	File source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\._cache_svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1lAxaLKP7E.exe

Joe Sandbox ML: detected

Source: 1lAxaLKP7E.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr

Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: svchost.exe	Binary or memory string: autorun.inf
Source: svchost.exe	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006DDBBE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E68EE FindFirstFileW,FindClose,	0_2_006E68EE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_006E698F
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006DD076
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006DD3A9
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006E9642
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006E979D
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_006E9B2B
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_006E5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	1_2_004099E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	1_2_00406018
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409B1C FindFirstFileA,GetLastError,	1_2_00409B1C

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006ECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_006ECE44

Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniH)
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloX
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=T
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006EEAFF

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_006EED6A

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

0_2_006EEAFF

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00429040 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

1_2_00429040

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_006DAA57

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_00709576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00709576

Source: Yara match

File source: Process Memory Space: 1lAxaLKP7E.exe PID: 6700, type: MEMORYSTR

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: 1lAxaLKP7E.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 1lAxaLKP7E.exe, 00000000.00000000.1725274560.0000000000732000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_95e16eda-3
Source: 1lAxaLKP7E.exe, 00000000.00000000.1725274560.0000000000732000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_089325fa-6
Source: 1lAxaLKP7E.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b4728bad-d
Source: 1lAxaLKP7E.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c48f032d-1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043F118 NtdllDefWindowProc_A,GetCapture,	1_2_0043F118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004598AC NtdllDefWindowProc_A,	1_2_004598AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	1_2_0045A054
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	1_2_0045A104
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,	1_2_0045E9EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	1_2_0044EA40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F60C NtdllDefWindowProc_A,	1_2_0042F60C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0065C083 NtClose,	2_2_0065C083
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202B60 NtClose,LdrInitializeThunk,	2_2_01202B60
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01202DF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01202C70
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012035C0 NtCreateMutant,LdrInitializeThunk,	2_2_012035C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01204340 NtSetContextThread,	2_2_01204340
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01204650 NtSuspendThread,	2_2_01204650
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202BA0 NtEnumerateValueKey,	2_2_01202BA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202B80 NtQueryInformationFile,	2_2_01202B80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202BE0 NtQueryValueKey,	2_2_01202BE0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202BF0 NtAllocateVirtualMemory,	2_2_01202BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202AB0 NtWaitForSingleObject,	2_2_01202AB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202AF0 NtWriteFile,	2_2_01202AF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202AD0 NtReadFile,	2_2_01202AD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202D30 NtUnmapViewOfSection,	2_2_01202D30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202D00 NtSetInformationFile,	2_2_01202D00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202D10 NtMapViewOfSection,	2_2_01202D10
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202DB0 NtEnumerateKey,	2_2_01202DB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202DD0 NtDelayExecution,	2_2_01202DD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202C00 NtQueryInformationProcess,	2_2_01202C00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202C60 NtCreateKey,	2_2_01202C60
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202CA0 NtQueryInformationToken,	2_2_01202CA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202CF0 NtOpenProcess,	2_2_01202CF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202CC0 NtQueryVirtualMemory,	2_2_01202CC0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202F30 NtCreateSection,	2_2_01202F30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202F60 NtCreateProcessEx,	2_2_01202F60
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202FA0 NtQuerySection,	2_2_01202FA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202FB0 NtResumeThread,	2_2_01202FB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202F90 NtProtectVirtualMemory,	2_2_01202F90
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202FE0 NtCreateFile,	2_2_01202FE0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202E30 NtWriteVirtualMemory,	2_2_01202E30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202EA0 NtAdjustPrivilegesToken,	2_2_01202EA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202E80 NtReadVirtualMemory,	2_2_01202E80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202EE0 NtQueueApcThread,	2_2_01202EE0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01203010 NtOpenDirectoryObject,	2_2_01203010
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01203090 NtSetValueKey,	2_2_01203090
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012039B0 NtGetContextThread,	2_2_012039B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01203D10 NtOpenProcessToken,	2_2_01203D10
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01203D70 NtOpenThread,	2_2_01203D70

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_006DD5EB

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006D1201

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006DE8F6

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0067CAF0	0_2_0067CAF0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0067BF40	0_2_0067BF40
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00678060	0_2_00678060
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E2046	0_2_006E2046
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006D8298	0_2_006D8298
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006AE4FF	0_2_006AE4FF
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006A676B	0_2_006A676B
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00704873	0_2_00704873
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0069CAA0	0_2_0069CAA0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068CC39	0_2_0068CC39
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006A6DD9	0_2_006A6DD9
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068D065	0_2_0068D065
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068B119	0_2_0068B119
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006791C0	0_2_006791C0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00691394	0_2_00691394
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00691706	0_2_00691706
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0069781B	0_2_0069781B
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068997D	0_2_0068997D
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00677920	0_2_00677920
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006919B0	0_2_006919B0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00697A4A	0_2_00697A4A
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00691C77	0_2_00691C77
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00697CA7	0_2_00697CA7
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006FBE44	0_2_006FBE44
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006A9EEE	0_2_006A9EEE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00691F32	0_2_00691F32
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00CA35D0	0_2_00CA35D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004601F0	1_2_004601F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0046C7CC	1_2_0046C7CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0048C7F4	1_2_0048C7F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0044EA40	1_2_0044EA40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00496E18	1_2_00496E18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0046B1E4	1_2_0046B1E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045FCC8	1_2_0045FCC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00453DA4	1_2_00453DA4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631000	2_2_00631000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0063F8A3	2_2_0063F8A3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631130	2_2_00631130
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00646243	2_2_00646243
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0063FAC3	2_2_0063FAC3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631280	2_2_00631280
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0063DB43	2_2_0063DB43
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631BF7	2_2_00631BF7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00632420	2_2_00632420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00631C00	2_2_00631C00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0065E6B3	2_2_0065E6B3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_00632FA0	2_2_00632FA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0100	2_2_011C0100
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118	2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01258158	2_2_01258158
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012901AA	2_2_012901AA
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012881CC	2_2_012881CC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128A352	2_2_0128A352
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012903E6	2_2_012903E6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE3F0	2_2_011DE3F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012502C0	2_2_012502C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535	2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01290591	2_2_01290591
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274420	2_2_01274420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01282446	2_2_01282446
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127E4F6	2_2_0127E4F6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4750	2_2_011F4750
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CC7C0	2_2_011CC7C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EC6E0	2_2_011EC6E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E6962	2_2_011E6962
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0129A9A6	2_2_0129A9A6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DA840	2_2_011DA840
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D2840	2_2_011D2840
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B68B8	2_2_011B68B8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE8F0	2_2_011FE8F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128AB40	2_2_0128AB40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01286BD7	2_2_01286BD7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DAD00	2_2_011DAD00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126CD1F	2_2_0126CD1F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E8DBF	2_2_011E8DBF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CADE0	2_2_011CADE0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0C00	2_2_011D0C00
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270CB5	2_2_01270CB5
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0CF2	2_2_011C0CF2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01212F28	2_2_01212F28
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01272F30	2_2_01272F30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F0F30	2_2_011F0F30
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01244F40	2_2_01244F40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124EFA0	2_2_0124EFA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C2FC8	2_2_011C2FC8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128EE26	2_2_0128EE26
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0E59	2_2_011D0E59
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2E90	2_2_011E2E90
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128CE93	2_2_0128CE93
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128EEDB	2_2_0128EEDB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0129B16B	2_2_0129B16B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120516C	2_2_0120516C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BF172	2_2_011BF172
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DB1B0	2_2_011DB1B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012870E9	2_2_012870E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128F0E0	2_2_0128F0E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D70C0	2_2_011D70C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127F0CC	2_2_0127F0CC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128132D	2_2_0128132D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BD34C	2_2_011BD34C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0121739A	2_2_0121739A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D52A0	2_2_011D52A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012712ED	2_2_012712ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EB2C0	2_2_011EB2C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01287571	2_2_01287571
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126D5B0	2_2_0126D5B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128F43F	2_2_0128F43F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C1460	2_2_011C1460
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128F7B0	2_2_0128F7B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012816CC	2_2_012816CC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01265910	2_2_01265910
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D9950	2_2_011D9950
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EB950	2_2_011EB950
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123D800	2_2_0123D800
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D38E0	2_2_011D38E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FB76	2_2_0128FB76
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EFB80	2_2_011EFB80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01245BF0	2_2_01245BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120DBF9	2_2_0120DBF9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01243A6C	2_2_01243A6C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FA49	2_2_0128FA49
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01287A46	2_2_01287A46
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01215AA0	2_2_01215AA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01271AA3	2_2_01271AA3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126DAAC	2_2_0126DAAC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127DAC6	2_2_0127DAC6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01287D73	2_2_01287D73
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D3D40	2_2_011D3D40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01281D5A	2_2_01281D5A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EFDC0	2_2_011EFDC0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01249C32	2_2_01249C32
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FCF2	2_2_0128FCF2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FF09	2_2_0128FF09
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D1F92	2_2_011D1F92
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128FFB1	2_2_0128FFB1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D9EB0	2_2_011D9EB0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0049058C appears 56 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004109E8 appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004049C0 appears 73 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004070F0 appears 81 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00404CCC appears 54 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 01205130 appears 58 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 0123EA12 appears 86 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 0124F290 appears 105 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 01217E54 appears 100 times
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: String function: 011BB970 appears 265 times
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: String function: 00690A30 appears 46 times
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: String function: 0068F9F2 appears 31 times

Source: ._cache_svchost.exe.1.dr

Static PE information: No import functions for PE file found

Source: 1lAxaLKP7E.exe, 00000000.00000003.1813235075.0000000003873000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 1lAxaLKP7E.exe
Source: 1lAxaLKP7E.exe, 00000000.00000003.1814350551.0000000003B2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 1lAxaLKP7E.exe
Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 1lAxaLKP7E.exe
Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs 1lAxaLKP7E.exe

Source: 1lAxaLKP7E.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: ._cache_svchost.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ._cache_svchost.exe.1.dr

Static PE information: Section .text

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/6@0/0

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006E37B5 GetLastError,FormatMessageW,

0_2_006E37B5

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006D10BF AdjustTokenPrivileges,CloseHandle,	0_2_006D10BF
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_006D16C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,	1_2_00475958

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006E51CD

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_006FA67C

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_006E648E

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006742A2

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\Desktop\._cache_svchost.exe

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

File created: C:\Users\user\AppData\Local\Temp\aut6951.tmp

Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: 1lAxaLKP7E.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\svchost.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 1lAxaLKP7E.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\1lAxaLKP7E.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\Desktop\._cache_svchost.exe "C:\Users\user\Desktop\._cache_svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\Desktop\._cache_svchost.exe "C:\Users\user\Desktop\._cache_svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_svchost.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1lAxaLKP7E.exe

Static file information: File size 1904640 > 1048576

Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1lAxaLKP7E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1lAxaLKP7E.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr

Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1lAxaLKP7E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Contains functionality to detect sleep reduction / modifications

Source: Synaptics.exe.1.dr

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00690A76 push ecx; ret	0_2_00690A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00446564 push 004465F1h; ret	1_2_004465E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406B3C push 00406B8Dh; ret	1_2_00406B85
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00478CB0 push 00478D2Dh; ret	1_2_00478D25
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00422044 push ecx; mov dword ptr [esp], edx	1_2_00422049
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E010 push 0042E03Ch; ret	1_2_0042E034
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0046C0B0 push ecx; mov dword ptr [esp], eax	1_2_0046C0B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004761F8 push 0047623Bh; ret	1_2_00476233
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0049419C push 004941CFh; ret	1_2_004941C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E1BC push 0042E1E8h; ret	1_2_0042E1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00480210 push 0048023Ch; ret	1_2_00480234
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004842DC push 00484308h; ret	1_2_00484300
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0048036C push 00480398h; ret	1_2_00480390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C3D0 push 0042C3FCh; ret	1_2_0042C3F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432468 push 004324B4h; ret	1_2_004324AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00486408 push 004864ADh; ret	1_2_004864A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0047C404 push 0047C430h; ret	1_2_0047C428
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432404 push 00432447h; ret	1_2_0043243F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004324C0 push 0043250Bh; ret	1_2_00432503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C4C4 push 0042C4F0h; ret	1_2_0042C4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004464FC push 00446562h; ret	1_2_0044655A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00490554 push 00490580h; ret	1_2_00490578
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0047A514 push 0047A540h; ret	1_2_0047A538
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432518 push 00432544h; ret	1_2_0043253C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00496530 push 00496586h; ret	1_2_0049657E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0048859C push 004885DEh; ret	1_2_004885D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432650 push 004326C6h; ret	1_2_004326BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0049A6BC push 0049A745h; ret	1_2_0049A73D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00480744 push 00480770h; ret	1_2_00480768
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0049A750 push 0049A776h; ret	1_2_0049A76E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0048077C push 004807A8h; ret	1_2_004807A0

Source: ._cache_svchost.exe.1.dr

Static PE information: section name: .text entropy: 7.99501507091198

Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\Desktop\._cache_svchost.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\ProgramData\Synaptics\Synaptics.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver			Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0068F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0068F98E
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00701C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00701C41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00459934
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	1_2_0045A054
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	1_2_0045A104
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,	1_2_0042C6FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0044083C IsIconic,GetCapture,	1_2_0044083C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0045695C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_004410F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00441A14

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0042E3B4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0042E3B4

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00435BD4

1_2_00435BD4

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95645

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

API/Special instruction interceptor: Address: CA31F4

Source: C:\Users\user\Desktop\._cache_svchost.exe

Code function: 2_2_0120096E rdtsc

2_2_0120096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

1_2_00458EA4

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	API coverage: 4.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 7.3 %
Source: C:\Users\user\Desktop\._cache_svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00435BD4

1_2_00435BD4

Source: C:\Users\user\Desktop\._cache_svchost.exe TID: 7036

Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006DDBBE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E68EE FindFirstFileW,FindClose,	0_2_006E68EE
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_006E698F
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006DD076
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006DD3A9
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006E9642
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006E979D
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_006E9B2B
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_006E5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	1_2_004099E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	1_2_00406018
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00409B1C FindFirstFileA,GetLastError,	1_2_00409B1C

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: svchost.exe, 00000001.00000002.1824644371.0000000003061000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\._cache_svchost.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\._cache_svchost.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\._cache_svchost.exe

Code function: 2_2_0120096E rdtsc

2_2_0120096E

Source: C:\Users\user\Desktop\._cache_svchost.exe

Code function: 2_2_006471F3 LdrLoadDll,

2_2_006471F3

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006EEAA2 BlockInput,

0_2_006EEAA2

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006A2622

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00694CE8 mov eax, dword ptr fs:[00000030h]	0_2_00694CE8
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00CA34C0 mov eax, dword ptr fs:[00000030h]	0_2_00CA34C0
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00CA3460 mov eax, dword ptr fs:[00000030h]	0_2_00CA3460
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00CA1E70 mov eax, dword ptr fs:[00000030h]	0_2_00CA1E70
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov ecx, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov ecx, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov ecx, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov eax, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E10E mov ecx, dword ptr fs:[00000030h]	2_2_0126E10E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F0124 mov eax, dword ptr fs:[00000030h]	2_2_011F0124
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01280115 mov eax, dword ptr fs:[00000030h]	2_2_01280115
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118 mov ecx, dword ptr fs:[00000030h]	2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118 mov eax, dword ptr fs:[00000030h]	2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118 mov eax, dword ptr fs:[00000030h]	2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126A118 mov eax, dword ptr fs:[00000030h]	2_2_0126A118
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6154 mov eax, dword ptr fs:[00000030h]	2_2_011C6154
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6154 mov eax, dword ptr fs:[00000030h]	2_2_011C6154
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC156 mov eax, dword ptr fs:[00000030h]	2_2_011BC156
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov eax, dword ptr fs:[00000030h]	2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov eax, dword ptr fs:[00000030h]	2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov ecx, dword ptr fs:[00000030h]	2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov eax, dword ptr fs:[00000030h]	2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01254144 mov eax, dword ptr fs:[00000030h]	2_2_01254144
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01258158 mov eax, dword ptr fs:[00000030h]	2_2_01258158
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA197 mov eax, dword ptr fs:[00000030h]	2_2_011BA197
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA197 mov eax, dword ptr fs:[00000030h]	2_2_011BA197
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA197 mov eax, dword ptr fs:[00000030h]	2_2_011BA197
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01200185 mov eax, dword ptr fs:[00000030h]	2_2_01200185
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01264180 mov eax, dword ptr fs:[00000030h]	2_2_01264180
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01264180 mov eax, dword ptr fs:[00000030h]	2_2_01264180
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127C188 mov eax, dword ptr fs:[00000030h]	2_2_0127C188
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127C188 mov eax, dword ptr fs:[00000030h]	2_2_0127C188
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124019F mov eax, dword ptr fs:[00000030h]	2_2_0124019F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124019F mov eax, dword ptr fs:[00000030h]	2_2_0124019F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124019F mov eax, dword ptr fs:[00000030h]	2_2_0124019F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124019F mov eax, dword ptr fs:[00000030h]	2_2_0124019F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012961E5 mov eax, dword ptr fs:[00000030h]	2_2_012961E5
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F01F8 mov eax, dword ptr fs:[00000030h]	2_2_011F01F8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012861C3 mov eax, dword ptr fs:[00000030h]	2_2_012861C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012861C3 mov eax, dword ptr fs:[00000030h]	2_2_012861C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov ecx, dword ptr fs:[00000030h]	2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0123E1D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE016 mov eax, dword ptr fs:[00000030h]	2_2_011DE016
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE016 mov eax, dword ptr fs:[00000030h]	2_2_011DE016
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE016 mov eax, dword ptr fs:[00000030h]	2_2_011DE016
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE016 mov eax, dword ptr fs:[00000030h]	2_2_011DE016
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256030 mov eax, dword ptr fs:[00000030h]	2_2_01256030
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01244000 mov ecx, dword ptr fs:[00000030h]	2_2_01244000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01262000 mov eax, dword ptr fs:[00000030h]	2_2_01262000
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA020 mov eax, dword ptr fs:[00000030h]	2_2_011BA020
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC020 mov eax, dword ptr fs:[00000030h]	2_2_011BC020
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C2050 mov eax, dword ptr fs:[00000030h]	2_2_011C2050
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EC073 mov eax, dword ptr fs:[00000030h]	2_2_011EC073
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246050 mov eax, dword ptr fs:[00000030h]	2_2_01246050
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012580A8 mov eax, dword ptr fs:[00000030h]	2_2_012580A8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012860B8 mov eax, dword ptr fs:[00000030h]	2_2_012860B8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012860B8 mov ecx, dword ptr fs:[00000030h]	2_2_012860B8
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C208A mov eax, dword ptr fs:[00000030h]	2_2_011C208A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012460E0 mov eax, dword ptr fs:[00000030h]	2_2_012460E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012020F0 mov ecx, dword ptr fs:[00000030h]	2_2_012020F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC0F0 mov eax, dword ptr fs:[00000030h]	2_2_011BC0F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C80E9 mov eax, dword ptr fs:[00000030h]	2_2_011C80E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA0E3 mov ecx, dword ptr fs:[00000030h]	2_2_011BA0E3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012420DE mov eax, dword ptr fs:[00000030h]	2_2_012420DE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC310 mov ecx, dword ptr fs:[00000030h]	2_2_011BC310
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E0310 mov ecx, dword ptr fs:[00000030h]	2_2_011E0310
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA30B mov eax, dword ptr fs:[00000030h]	2_2_011FA30B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA30B mov eax, dword ptr fs:[00000030h]	2_2_011FA30B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA30B mov eax, dword ptr fs:[00000030h]	2_2_011FA30B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126437C mov eax, dword ptr fs:[00000030h]	2_2_0126437C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01242349 mov eax, dword ptr fs:[00000030h]	2_2_01242349
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01268350 mov ecx, dword ptr fs:[00000030h]	2_2_01268350
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]	2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]	2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]	2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov ecx, dword ptr fs:[00000030h]	2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]	2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124035C mov eax, dword ptr fs:[00000030h]	2_2_0124035C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128A352 mov eax, dword ptr fs:[00000030h]	2_2_0128A352
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8397 mov eax, dword ptr fs:[00000030h]	2_2_011B8397
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8397 mov eax, dword ptr fs:[00000030h]	2_2_011B8397
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8397 mov eax, dword ptr fs:[00000030h]	2_2_011B8397
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E438F mov eax, dword ptr fs:[00000030h]	2_2_011E438F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E438F mov eax, dword ptr fs:[00000030h]	2_2_011E438F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE388 mov eax, dword ptr fs:[00000030h]	2_2_011BE388
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE388 mov eax, dword ptr fs:[00000030h]	2_2_011BE388
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE388 mov eax, dword ptr fs:[00000030h]	2_2_011BE388
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]	2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]	2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]	2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]	2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]	2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA3C0 mov eax, dword ptr fs:[00000030h]	2_2_011CA3C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C83C0 mov eax, dword ptr fs:[00000030h]	2_2_011C83C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C83C0 mov eax, dword ptr fs:[00000030h]	2_2_011C83C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C83C0 mov eax, dword ptr fs:[00000030h]	2_2_011C83C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C83C0 mov eax, dword ptr fs:[00000030h]	2_2_011C83C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F63FF mov eax, dword ptr fs:[00000030h]	2_2_011F63FF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012463C0 mov eax, dword ptr fs:[00000030h]	2_2_012463C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127C3CD mov eax, dword ptr fs:[00000030h]	2_2_0127C3CD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE3F0 mov eax, dword ptr fs:[00000030h]	2_2_011DE3F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE3F0 mov eax, dword ptr fs:[00000030h]	2_2_011DE3F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE3F0 mov eax, dword ptr fs:[00000030h]	2_2_011DE3F0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012643D4 mov eax, dword ptr fs:[00000030h]	2_2_012643D4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012643D4 mov eax, dword ptr fs:[00000030h]	2_2_012643D4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]	2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]	2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]	2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]	2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]	2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]	2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]	2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D03E9 mov eax, dword ptr fs:[00000030h]	2_2_011D03E9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E3DB mov eax, dword ptr fs:[00000030h]	2_2_0126E3DB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E3DB mov eax, dword ptr fs:[00000030h]	2_2_0126E3DB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E3DB mov ecx, dword ptr fs:[00000030h]	2_2_0126E3DB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126E3DB mov eax, dword ptr fs:[00000030h]	2_2_0126E3DB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B823B mov eax, dword ptr fs:[00000030h]	2_2_011B823B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6259 mov eax, dword ptr fs:[00000030h]	2_2_011C6259
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BA250 mov eax, dword ptr fs:[00000030h]	2_2_011BA250
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01270274 mov eax, dword ptr fs:[00000030h]	2_2_01270274
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01248243 mov eax, dword ptr fs:[00000030h]	2_2_01248243
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01248243 mov ecx, dword ptr fs:[00000030h]	2_2_01248243
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B826B mov eax, dword ptr fs:[00000030h]	2_2_011B826B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127A250 mov eax, dword ptr fs:[00000030h]	2_2_0127A250
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127A250 mov eax, dword ptr fs:[00000030h]	2_2_0127A250
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4260 mov eax, dword ptr fs:[00000030h]	2_2_011C4260
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4260 mov eax, dword ptr fs:[00000030h]	2_2_011C4260
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4260 mov eax, dword ptr fs:[00000030h]	2_2_011C4260
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]	2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov ecx, dword ptr fs:[00000030h]	2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]	2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]	2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]	2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012562A0 mov eax, dword ptr fs:[00000030h]	2_2_012562A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE284 mov eax, dword ptr fs:[00000030h]	2_2_011FE284
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE284 mov eax, dword ptr fs:[00000030h]	2_2_011FE284
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01240283 mov eax, dword ptr fs:[00000030h]	2_2_01240283
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01240283 mov eax, dword ptr fs:[00000030h]	2_2_01240283
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01240283 mov eax, dword ptr fs:[00000030h]	2_2_01240283
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02A0 mov eax, dword ptr fs:[00000030h]	2_2_011D02A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02A0 mov eax, dword ptr fs:[00000030h]	2_2_011D02A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]	2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]	2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]	2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]	2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA2C3 mov eax, dword ptr fs:[00000030h]	2_2_011CA2C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02E1 mov eax, dword ptr fs:[00000030h]	2_2_011D02E1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02E1 mov eax, dword ptr fs:[00000030h]	2_2_011D02E1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D02E1 mov eax, dword ptr fs:[00000030h]	2_2_011D02E1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]	2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]	2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]	2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]	2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE53E mov eax, dword ptr fs:[00000030h]	2_2_011EE53E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256500 mov eax, dword ptr fs:[00000030h]	2_2_01256500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]	2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]	2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]	2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]	2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]	2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0535 mov eax, dword ptr fs:[00000030h]	2_2_011D0535
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]	2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]	2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]	2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]	2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]	2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]	2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294500 mov eax, dword ptr fs:[00000030h]	2_2_01294500
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8550 mov eax, dword ptr fs:[00000030h]	2_2_011C8550
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8550 mov eax, dword ptr fs:[00000030h]	2_2_011C8550
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F656A mov eax, dword ptr fs:[00000030h]	2_2_011F656A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F656A mov eax, dword ptr fs:[00000030h]	2_2_011F656A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F656A mov eax, dword ptr fs:[00000030h]	2_2_011F656A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE59C mov eax, dword ptr fs:[00000030h]	2_2_011FE59C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012405A7 mov eax, dword ptr fs:[00000030h]	2_2_012405A7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012405A7 mov eax, dword ptr fs:[00000030h]	2_2_012405A7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012405A7 mov eax, dword ptr fs:[00000030h]	2_2_012405A7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4588 mov eax, dword ptr fs:[00000030h]	2_2_011F4588
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C2582 mov eax, dword ptr fs:[00000030h]	2_2_011C2582
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C2582 mov ecx, dword ptr fs:[00000030h]	2_2_011C2582
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E45B1 mov eax, dword ptr fs:[00000030h]	2_2_011E45B1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E45B1 mov eax, dword ptr fs:[00000030h]	2_2_011E45B1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C65D0 mov eax, dword ptr fs:[00000030h]	2_2_011C65D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA5D0 mov eax, dword ptr fs:[00000030h]	2_2_011FA5D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA5D0 mov eax, dword ptr fs:[00000030h]	2_2_011FA5D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE5CF mov eax, dword ptr fs:[00000030h]	2_2_011FE5CF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE5CF mov eax, dword ptr fs:[00000030h]	2_2_011FE5CF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC5ED mov eax, dword ptr fs:[00000030h]	2_2_011FC5ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC5ED mov eax, dword ptr fs:[00000030h]	2_2_011FC5ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]	2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]	2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]	2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]	2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]	2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]	2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]	2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE5E7 mov eax, dword ptr fs:[00000030h]	2_2_011EE5E7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C25E0 mov eax, dword ptr fs:[00000030h]	2_2_011C25E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]	2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]	2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]	2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]	2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]	2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]	2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01246420 mov eax, dword ptr fs:[00000030h]	2_2_01246420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8402 mov eax, dword ptr fs:[00000030h]	2_2_011F8402
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8402 mov eax, dword ptr fs:[00000030h]	2_2_011F8402
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8402 mov eax, dword ptr fs:[00000030h]	2_2_011F8402
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA430 mov eax, dword ptr fs:[00000030h]	2_2_011FA430
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE420 mov eax, dword ptr fs:[00000030h]	2_2_011BE420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE420 mov eax, dword ptr fs:[00000030h]	2_2_011BE420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BE420 mov eax, dword ptr fs:[00000030h]	2_2_011BE420
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BC427 mov eax, dword ptr fs:[00000030h]	2_2_011BC427
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E245A mov eax, dword ptr fs:[00000030h]	2_2_011E245A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C460 mov ecx, dword ptr fs:[00000030h]	2_2_0124C460
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B645D mov eax, dword ptr fs:[00000030h]	2_2_011B645D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]	2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]	2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]	2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]	2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]	2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]	2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]	2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FE443 mov eax, dword ptr fs:[00000030h]	2_2_011FE443
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EA470 mov eax, dword ptr fs:[00000030h]	2_2_011EA470
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EA470 mov eax, dword ptr fs:[00000030h]	2_2_011EA470
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EA470 mov eax, dword ptr fs:[00000030h]	2_2_011EA470
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127A456 mov eax, dword ptr fs:[00000030h]	2_2_0127A456
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124A4B0 mov eax, dword ptr fs:[00000030h]	2_2_0124A4B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F44B0 mov ecx, dword ptr fs:[00000030h]	2_2_011F44B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C64AB mov eax, dword ptr fs:[00000030h]	2_2_011C64AB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0127A49A mov eax, dword ptr fs:[00000030h]	2_2_0127A49A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C04E5 mov ecx, dword ptr fs:[00000030h]	2_2_011C04E5
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0710 mov eax, dword ptr fs:[00000030h]	2_2_011C0710
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F0710 mov eax, dword ptr fs:[00000030h]	2_2_011F0710
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123C730 mov eax, dword ptr fs:[00000030h]	2_2_0123C730
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC700 mov eax, dword ptr fs:[00000030h]	2_2_011FC700
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F273C mov eax, dword ptr fs:[00000030h]	2_2_011F273C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F273C mov ecx, dword ptr fs:[00000030h]	2_2_011F273C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F273C mov eax, dword ptr fs:[00000030h]	2_2_011F273C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC720 mov eax, dword ptr fs:[00000030h]	2_2_011FC720
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC720 mov eax, dword ptr fs:[00000030h]	2_2_011FC720
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0750 mov eax, dword ptr fs:[00000030h]	2_2_011C0750
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F674D mov esi, dword ptr fs:[00000030h]	2_2_011F674D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F674D mov eax, dword ptr fs:[00000030h]	2_2_011F674D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F674D mov eax, dword ptr fs:[00000030h]	2_2_011F674D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8770 mov eax, dword ptr fs:[00000030h]	2_2_011C8770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0770 mov eax, dword ptr fs:[00000030h]	2_2_011D0770
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202750 mov eax, dword ptr fs:[00000030h]	2_2_01202750
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202750 mov eax, dword ptr fs:[00000030h]	2_2_01202750
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01244755 mov eax, dword ptr fs:[00000030h]	2_2_01244755
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E75D mov eax, dword ptr fs:[00000030h]	2_2_0124E75D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012747A0 mov eax, dword ptr fs:[00000030h]	2_2_012747A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126678E mov eax, dword ptr fs:[00000030h]	2_2_0126678E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C07AF mov eax, dword ptr fs:[00000030h]	2_2_011C07AF
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E7E1 mov eax, dword ptr fs:[00000030h]	2_2_0124E7E1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CC7C0 mov eax, dword ptr fs:[00000030h]	2_2_011CC7C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C47FB mov eax, dword ptr fs:[00000030h]	2_2_011C47FB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C47FB mov eax, dword ptr fs:[00000030h]	2_2_011C47FB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012407C3 mov eax, dword ptr fs:[00000030h]	2_2_012407C3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E27ED mov eax, dword ptr fs:[00000030h]	2_2_011E27ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E27ED mov eax, dword ptr fs:[00000030h]	2_2_011E27ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E27ED mov eax, dword ptr fs:[00000030h]	2_2_011E27ED
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]	2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]	2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]	2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]	2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]	2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]	2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D260B mov eax, dword ptr fs:[00000030h]	2_2_011D260B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E609 mov eax, dword ptr fs:[00000030h]	2_2_0123E609
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C262C mov eax, dword ptr fs:[00000030h]	2_2_011C262C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01202619 mov eax, dword ptr fs:[00000030h]	2_2_01202619
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DE627 mov eax, dword ptr fs:[00000030h]	2_2_011DE627
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F6620 mov eax, dword ptr fs:[00000030h]	2_2_011F6620
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8620 mov eax, dword ptr fs:[00000030h]	2_2_011F8620
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128866E mov eax, dword ptr fs:[00000030h]	2_2_0128866E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128866E mov eax, dword ptr fs:[00000030h]	2_2_0128866E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011DC640 mov eax, dword ptr fs:[00000030h]	2_2_011DC640
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F2674 mov eax, dword ptr fs:[00000030h]	2_2_011F2674
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA660 mov eax, dword ptr fs:[00000030h]	2_2_011FA660
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA660 mov eax, dword ptr fs:[00000030h]	2_2_011FA660
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4690 mov eax, dword ptr fs:[00000030h]	2_2_011C4690
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4690 mov eax, dword ptr fs:[00000030h]	2_2_011C4690
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F66B0 mov eax, dword ptr fs:[00000030h]	2_2_011F66B0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC6A6 mov eax, dword ptr fs:[00000030h]	2_2_011FC6A6
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0123E6F2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0123E6F2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0123E6F2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0123E6F2
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012406F1 mov eax, dword ptr fs:[00000030h]	2_2_012406F1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012406F1 mov eax, dword ptr fs:[00000030h]	2_2_012406F1
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA6C7 mov ebx, dword ptr fs:[00000030h]	2_2_011FA6C7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA6C7 mov eax, dword ptr fs:[00000030h]	2_2_011FA6C7
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8918 mov eax, dword ptr fs:[00000030h]	2_2_011B8918
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B8918 mov eax, dword ptr fs:[00000030h]	2_2_011B8918
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124892A mov eax, dword ptr fs:[00000030h]	2_2_0124892A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0125892B mov eax, dword ptr fs:[00000030h]	2_2_0125892B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E908 mov eax, dword ptr fs:[00000030h]	2_2_0123E908
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123E908 mov eax, dword ptr fs:[00000030h]	2_2_0123E908
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C912 mov eax, dword ptr fs:[00000030h]	2_2_0124C912
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120096E mov eax, dword ptr fs:[00000030h]	2_2_0120096E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120096E mov edx, dword ptr fs:[00000030h]	2_2_0120096E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0120096E mov eax, dword ptr fs:[00000030h]	2_2_0120096E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C97C mov eax, dword ptr fs:[00000030h]	2_2_0124C97C
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01264978 mov eax, dword ptr fs:[00000030h]	2_2_01264978
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01264978 mov eax, dword ptr fs:[00000030h]	2_2_01264978
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01240946 mov eax, dword ptr fs:[00000030h]	2_2_01240946
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E6962 mov eax, dword ptr fs:[00000030h]	2_2_011E6962
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E6962 mov eax, dword ptr fs:[00000030h]	2_2_011E6962
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E6962 mov eax, dword ptr fs:[00000030h]	2_2_011E6962
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012489B3 mov esi, dword ptr fs:[00000030h]	2_2_012489B3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012489B3 mov eax, dword ptr fs:[00000030h]	2_2_012489B3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012489B3 mov eax, dword ptr fs:[00000030h]	2_2_012489B3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C09AD mov eax, dword ptr fs:[00000030h]	2_2_011C09AD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C09AD mov eax, dword ptr fs:[00000030h]	2_2_011C09AD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D29A0 mov eax, dword ptr fs:[00000030h]	2_2_011D29A0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E9E0 mov eax, dword ptr fs:[00000030h]	2_2_0124E9E0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]	2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]	2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]	2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]	2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]	2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CA9D0 mov eax, dword ptr fs:[00000030h]	2_2_011CA9D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F49D0 mov eax, dword ptr fs:[00000030h]	2_2_011F49D0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_012569C0 mov eax, dword ptr fs:[00000030h]	2_2_012569C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F29F9 mov eax, dword ptr fs:[00000030h]	2_2_011F29F9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F29F9 mov eax, dword ptr fs:[00000030h]	2_2_011F29F9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128A9D3 mov eax, dword ptr fs:[00000030h]	2_2_0128A9D3
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126483A mov eax, dword ptr fs:[00000030h]	2_2_0126483A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126483A mov eax, dword ptr fs:[00000030h]	2_2_0126483A
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]	2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]	2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]	2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov ecx, dword ptr fs:[00000030h]	2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]	2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E2835 mov eax, dword ptr fs:[00000030h]	2_2_011E2835
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FA830 mov eax, dword ptr fs:[00000030h]	2_2_011FA830
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C810 mov eax, dword ptr fs:[00000030h]	2_2_0124C810
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4859 mov eax, dword ptr fs:[00000030h]	2_2_011C4859
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C4859 mov eax, dword ptr fs:[00000030h]	2_2_011C4859
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F0854 mov eax, dword ptr fs:[00000030h]	2_2_011F0854
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256870 mov eax, dword ptr fs:[00000030h]	2_2_01256870
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256870 mov eax, dword ptr fs:[00000030h]	2_2_01256870
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E872 mov eax, dword ptr fs:[00000030h]	2_2_0124E872
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124E872 mov eax, dword ptr fs:[00000030h]	2_2_0124E872
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D2840 mov ecx, dword ptr fs:[00000030h]	2_2_011D2840
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0887 mov eax, dword ptr fs:[00000030h]	2_2_011C0887
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124C89D mov eax, dword ptr fs:[00000030h]	2_2_0124C89D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128A8E4 mov eax, dword ptr fs:[00000030h]	2_2_0128A8E4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EE8C0 mov eax, dword ptr fs:[00000030h]	2_2_011EE8C0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC8F9 mov eax, dword ptr fs:[00000030h]	2_2_011FC8F9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FC8F9 mov eax, dword ptr fs:[00000030h]	2_2_011FC8F9
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01288B28 mov eax, dword ptr fs:[00000030h]	2_2_01288B28
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01288B28 mov eax, dword ptr fs:[00000030h]	2_2_01288B28
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123EB1D mov eax, dword ptr fs:[00000030h]	2_2_0123EB1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EEB20 mov eax, dword ptr fs:[00000030h]	2_2_011EEB20
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EEB20 mov eax, dword ptr fs:[00000030h]	2_2_011EEB20
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01268B42 mov eax, dword ptr fs:[00000030h]	2_2_01268B42
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256B40 mov eax, dword ptr fs:[00000030h]	2_2_01256B40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01256B40 mov eax, dword ptr fs:[00000030h]	2_2_01256B40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011BCB7E mov eax, dword ptr fs:[00000030h]	2_2_011BCB7E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0128AB40 mov eax, dword ptr fs:[00000030h]	2_2_0128AB40
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274B4B mov eax, dword ptr fs:[00000030h]	2_2_01274B4B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274B4B mov eax, dword ptr fs:[00000030h]	2_2_01274B4B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126EB50 mov eax, dword ptr fs:[00000030h]	2_2_0126EB50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274BB0 mov eax, dword ptr fs:[00000030h]	2_2_01274BB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01274BB0 mov eax, dword ptr fs:[00000030h]	2_2_01274BB0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0BBE mov eax, dword ptr fs:[00000030h]	2_2_011D0BBE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0BBE mov eax, dword ptr fs:[00000030h]	2_2_011D0BBE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0BCD mov eax, dword ptr fs:[00000030h]	2_2_011C0BCD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0BCD mov eax, dword ptr fs:[00000030h]	2_2_011C0BCD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0BCD mov eax, dword ptr fs:[00000030h]	2_2_011C0BCD
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124CBF0 mov eax, dword ptr fs:[00000030h]	2_2_0124CBF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E0BCB mov eax, dword ptr fs:[00000030h]	2_2_011E0BCB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E0BCB mov eax, dword ptr fs:[00000030h]	2_2_011E0BCB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E0BCB mov eax, dword ptr fs:[00000030h]	2_2_011E0BCB
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EEBFC mov eax, dword ptr fs:[00000030h]	2_2_011EEBFC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8BF0 mov eax, dword ptr fs:[00000030h]	2_2_011C8BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8BF0 mov eax, dword ptr fs:[00000030h]	2_2_011C8BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8BF0 mov eax, dword ptr fs:[00000030h]	2_2_011C8BF0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126EBD0 mov eax, dword ptr fs:[00000030h]	2_2_0126EBD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA38 mov eax, dword ptr fs:[00000030h]	2_2_011FCA38
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E4A35 mov eax, dword ptr fs:[00000030h]	2_2_011E4A35
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011E4A35 mov eax, dword ptr fs:[00000030h]	2_2_011E4A35
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011EEA2E mov eax, dword ptr fs:[00000030h]	2_2_011EEA2E
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0124CA11 mov eax, dword ptr fs:[00000030h]	2_2_0124CA11
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA24 mov eax, dword ptr fs:[00000030h]	2_2_011FCA24
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0A5B mov eax, dword ptr fs:[00000030h]	2_2_011D0A5B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011D0A5B mov eax, dword ptr fs:[00000030h]	2_2_011D0A5B
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0126EA60 mov eax, dword ptr fs:[00000030h]	2_2_0126EA60
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]	2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]	2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]	2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]	2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]	2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]	2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C6A50 mov eax, dword ptr fs:[00000030h]	2_2_011C6A50
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123CA72 mov eax, dword ptr fs:[00000030h]	2_2_0123CA72
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_0123CA72 mov eax, dword ptr fs:[00000030h]	2_2_0123CA72
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA6F mov eax, dword ptr fs:[00000030h]	2_2_011FCA6F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA6F mov eax, dword ptr fs:[00000030h]	2_2_011FCA6F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FCA6F mov eax, dword ptr fs:[00000030h]	2_2_011FCA6F
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01216AA4 mov eax, dword ptr fs:[00000030h]	2_2_01216AA4
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F8A90 mov edx, dword ptr fs:[00000030h]	2_2_011F8A90
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011CEA80 mov eax, dword ptr fs:[00000030h]	2_2_011CEA80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01294A80 mov eax, dword ptr fs:[00000030h]	2_2_01294A80
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8AA0 mov eax, dword ptr fs:[00000030h]	2_2_011C8AA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C8AA0 mov eax, dword ptr fs:[00000030h]	2_2_011C8AA0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011C0AD0 mov eax, dword ptr fs:[00000030h]	2_2_011C0AD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4AD0 mov eax, dword ptr fs:[00000030h]	2_2_011F4AD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4AD0 mov eax, dword ptr fs:[00000030h]	2_2_011F4AD0
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01216ACC mov eax, dword ptr fs:[00000030h]	2_2_01216ACC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01216ACC mov eax, dword ptr fs:[00000030h]	2_2_01216ACC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01216ACC mov eax, dword ptr fs:[00000030h]	2_2_01216ACC
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FAAEE mov eax, dword ptr fs:[00000030h]	2_2_011FAAEE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011FAAEE mov eax, dword ptr fs:[00000030h]	2_2_011FAAEE
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011F4D1D mov eax, dword ptr fs:[00000030h]	2_2_011F4D1D
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_01248D20 mov eax, dword ptr fs:[00000030h]	2_2_01248D20
Source: C:\Users\user\Desktop\._cache_svchost.exe	Code function: 2_2_011B6D10 mov eax, dword ptr fs:[00000030h]	2_2_011B6D10

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_006D0B62

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006A2622
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_0069083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0069083F
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006909D5 SetUnhandledExceptionFilter,	0_2_006909D5
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_00690C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00690C21

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A25008

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

0_2_006D1201

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006B2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006B2BA5

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006DB226 SendInput,keybd_event,

0_2_006DB226

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006F22DA

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\Desktop\._cache_svchost.exe "C:\Users\user\Desktop\._cache_svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

0_2_006D0B62

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006D1663

Source: 1lAxaLKP7E.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 1lAxaLKP7E.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_00690698 cpuid

0_2_00690698

Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_004061D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,GetACP,	1_2_0040E088
Source: C:\Windows\SysWOW64\svchost.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_004062DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	1_2_0040C964
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	1_2_0040C9B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	1_2_00406AC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	1_2_00406AC8

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_006E8195

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006CD27A GetUserNameW,

0_2_006CD27A

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006ABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006ABB6F

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Stealing of Sensitive Information

Source: Yara match	File source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected XRed

Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1lAxaLKP7E.exe PID: 6700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6888, type: MEMORYSTR

Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_81
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_XP
Source: 1lAxaLKP7E.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_XPe
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_VISTA
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_7
Source: 1lAxaLKP7E.exe	Binary or memory string: WIN_8

Remote Access Functionality

Source: Yara match	File source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected XRed

Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1lAxaLKP7E.exe.3640000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1lAxaLKP7E.exe PID: 6700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6888, type: MEMORYSTR

Source: C:\Windows\SysWOW64\svchost.exe

Code function: cmd.exe /C

1_2_00475384

Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_006F1204
Source: C:\Users\user\Desktop\1lAxaLKP7E.exe	Code function: 0_2_006F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_006F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	1 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	2 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	135 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	461 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	12 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1lAxaLKP7E.exe	66%	ReversingLabs	Win32.Trojan.Leonem
1lAxaLKP7E.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\._cache_svchost.exe	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\Desktop\._cache_svchost.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	0%	ReversingLabs
C:\Users\user\Desktop\._cache_svchost.exe	88%	ReversingLabs	Win32.Backdoor.FormBook

Source	Detection	Scanner	Label
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dl	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SUpdate.iniH)	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=T	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SUpdate.ini	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/Synaptics.rar	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dll	100%	Avira URL Cloud	malware
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	0%	Avira URL Cloud	safe
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://xred.site50.net/syn/SSLLibrary.dl	svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/Synaptics.rar	svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=T	svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SUpdate.iniH)	svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SSLLibrary.dll	svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://xred.site50.net/syn/SUpdate.ini	svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl	svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1504860
Start date and time:	2024-09-05 14:30:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1lAxaLKP7E.exe renamed because original name is a hash value
Original Sample Name:	91b60b1ae0b37343c671b632eb3e358d9a5029c9c6405556ba835528c67fd6d8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/6@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 54 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 1lAxaLKP7E.exe

Simulations

Behavior and APIs

Time	Type	Description
08:31:50	API Interceptor	3x Sleep call for process: ._cache_svchost.exe modified
13:31:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Synaptics\Synaptics.exe	PI PDF.exe	Get hash	malicious	DarkCloud	Browse
	PI PDF.exe	Get hash	malicious	DarkCloud	Browse
	GZLA202403048 - revised copy.exe	Get hash	malicious	Remcos	Browse
	FHW PO5ED07 07.22.24.exe	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\ProgramData\Synaptics\Synaptics.exe

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	46504
Entropy (8bit):	6.436985067856982
Encrypted:	false
SSDEEP:	768:xqUfJFJ/RhxThdVzNIKwx4ZCv8HVtNMblQ1PVRmuU9z6:xdJ7/RhxVdVz7wx4ZtrNYeP/d8z6
MD5:	1ED18311E3DA35942DB37D15FA40CC5B
SHA1:	3196F45B269A614A3926EFC032FC9D75017F27E8
SHA-256:	7EFA956EE9141F3EB637511D029A77842EDA925CB8A84425D2CCDF8A8A677FE1
SHA-512:	241EFB2011896B0A741E1415C25508AA62664C35E193B1EB00CEAD688907517710E01426A9D0A090DE3F473577918B98C9135B51473844513D784CC096A013F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PI PDF.exe, Detection: malicious, Browse Filename: PI PDF.exe, Detection: malicious, Browse Filename: GZLA202403048 - revised copy.exe, Detection: malicious, Browse Filename: FHW PO5ED07 07.22.24.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V....................g.........h...............................Rich....................PE..L........................^...0.......2.......p....@.......................................@......@..........................d...X........................'......l.......T...............................................`....m..@....................text....].......^.................. ..`.data........p.......b..............@....idata..h............d..............@..@.didat...............z..............@....rsrc................\|..............@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Melber

Process:	C:\Users\user\Desktop\1lAxaLKP7E.exe
File Type:	data
Category:	dropped
Size (bytes):	1058304
Entropy (8bit):	7.712843783462931
Encrypted:	false
SSDEEP:	24576:1PbzVMhwYMlbNX9KEsT6ADW5PmXfP+xhvPZLALi0Xr:z7pXpoMXZW5
MD5:	2BD6688C3227C641442C971DF2A2BF24
SHA1:	1EB076D65CC349356384E1F878A39DE883A1D5CC
SHA-256:	42BDB93776F185B93E9EB0F4749F1B0161245F04EC577A5B59BF4E5130DBEFFC
SHA-512:	92C665E8838199D05E770825C80715AC799DF6822A8CB5C5A98191B2738E0C75266B47EBD307D0A86E3BA6C464DA50345D50BB4B229952F62AFC55DCD3A83C81
Malicious:	false
Reputation:	low
Preview:	.k.4@F77OVLT.4B.77KVCT1.4XF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF67K.ST?I.K...J..u..`*/D.;$,3C7Yb+BD?v!1.$A,fBY/31tf?Zqt:=oaCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1Vd.F7{J^CMo..BF77KVCT.V..M65RV.]1V.DF77KV..8V4RF77._CT1.4BV77KTCT5V4BF77KRCT1V4BF7.[VCP1V4BF75KVCT1F4B.77KVST1F4BF77KFCT1V4BF77KVCT;VvhF77K]CdLS4BF77KVCT1V4BF77KV.^1.BF77KVCT1V,.L7.KVCT1V4BF77K.IT)V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77K...tV4BF.BVCD1V4.O77OVCT1V4BF77KVCT.V4".vc.VCT1..BF7.BVCd1V4.O77KVCT1V4BF77.VC.s.gBF77K.RT1V.KF77KVC.8V4BF77KVCT1V4BF7.e?'5E74B..7KVC^1V.BF7.BVCT1V4BF77KVC.1V.l2[DKVCT!V4BF.=KVCT1V.KF77KVCT1V4BF77KV.zC2U6'77rVCT1.>BF57KV.]1V4BF77KVCT1VtBFg.93/;RV4..77K.IT1.4BF.>KVCT1V4BF77KV.T1..05ETKVCdLS4BF<7K(FT1.>BF77KVCT1V4BFw7K.CT1V4BF77KVCT!Z4BF77K.HT1V4BF77KVCT1.4B.77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KVCT1V4BF77KV

C:\Users\user\AppData\Local\Temp\aut6951.tmp

Process:	C:\Users\user\Desktop\1lAxaLKP7E.exe
File Type:	data
Category:	dropped
Size (bytes):	922848
Entropy (8bit):	7.984317222456412
Encrypted:	false
SSDEEP:	24576:aADST6RwL+bgNojHwiygr8IUYHiOXoWcHBamL/vlZKNwts:aA+TCm+bgNWHwiZr8IBH+l0mLlA+ts
MD5:	5AF960A7E92481BDD5302E8C79E7C773
SHA1:	3BA9EBD93B1BD03740EF99EBA81B81AB3C282000
SHA-256:	E3D106E6889A2779189C6815D37A2E8304748A2103BED46009D03AC0F70060B2
SHA-512:	B3DFE2C832E40270E656078D1D91C3C191242065F1BD042B50480D6FA9D7B7978D47CA2531E4F321F3166C614446C5C502B7B01E30DF0554AE7418A54ED6537F
Malicious:	false
Reputation:	low
Preview:	EA06..&.....J..o7...Nv.iB.M......1.M+.`.... ...m7..uI.'.K.....:..X%R.$^w$.L.sz.WB.O....FIA.Y.U.\|.ct.O.W...{o..,~.......F...U..6.....k.V.p.i.J...j. ......J..Y....T...T..&.....,ko[.P...x..1.i..............N..k@.[]..).0._.'^......@..x.............".@.....U.t@.c.O..@.>..Zi".].p..f....0.......S..~.]Z....l.....,u)`.X.N..~?...'..f.J..:.,.5h.....<..I.[.l.V....Y..@....h.x;..eU.I..{...>.Q.........](Tk<fs3...Ui....,A.5I.......~..Rc..L&.Z........(.U&?...7.w.B.J~..h./..@._..LE....P...kF.P.....s/..'.P.f..k](T;.ZO%.T,.J...w....:..w.I.`.w...u..x]Z.S.N(.y.J..x.u<...y........w2...r..X.,.4.....5s....V...U...2..$....d..u....&.b.Q.r..N.....p..Gd..g....h.L,2.$.k_.n`Ti.....R..p9...0....q.\/.i......!.i...w...:...t.Plw.L.M7...4.a...g.I...W..&.e...(r.......(T....8..hs...F....u..y...d.N$Ri.....;}Kw..@...-.'O.j.vJ......{...cV.c.`........I..w...r.B.0.l....$......v~..Z.X..0@,.....Gf.J...w...I....._.0....q.z/0i..?....J..KR..&...JE..W..&..u..$..j]W.\w5K.....[.T........X.[..

C:\Users\user\AppData\Local\Temp\aut6A3C.tmp

Process:	C:\Users\user\Desktop\1lAxaLKP7E.exe
File Type:	data
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	7.825792863700142
Encrypted:	false
SSDEEP:	768:CgVbskUzkT4tmRHe5uW46Y86vrCN2G2c/I1WF+9gm++3Zu/EHjbxOsV7ZqoiiWj7:DtskakT4wRH718CCcUCWoZhZu/63xO8W
MD5:	D242B4FC3CD4634554D81F7A2A737D16
SHA1:	1AF4B23AA6DA25EDAB69AE9F0FC12FC22C9520ED
SHA-256:	1638A8F9301C73821074EDE409260E6574CA1F019D33633E954DC83DB8870EC5
SHA-512:	E72056469171BE580257A5B6B4F0B241F48017E46981BFF6508B30DFB243DF39BC55B8BBBAD1A70916E0DACED8AC887143DD6EF1A5383FF157269106BE86CA73
Malicious:	false
Reputation:	low
Preview:	EA06..P....y."g5......6.Tf.Zd.gR..).9.:m5.M.tY..6..&s...eD...9.Bg0....Z..l..Q.szD.eA..(.9.bm2.L.....3.Sfs...Nf...3.V&s...iK.9g.Y..6.Sfs...mU..hs9..g0.........V.sj..mG..O..$.iV.Ms9..g6..).i..g7.L.T....mS.'.Ng0......3.Pfs.L.kW..k..,....L.....6........3.U...x.J.D..$...g5.l(.i..yY..h39.6g5..(.%...A....9.Fg6..0 ..jm4....i.,..Lj.!..._U.B..\..V@.5N..k@.U^m5.......gC...%.P..O......`....6T...3..s..fm2...5.....Q...@.......eg8...59..6.U.s...eG.L..i...X......<.....@(%.g6...U@..kT..j.9.>m2........C.f..(.H..U)...B..5...3..Z.9... .b...0.UE.6...T..!.L.....9.T....).i.....O..:...T......g5 .FgM........B..HT).....I)si.Nl.RN@..4..Q..(.@..1Z..g..r.3....I.....?+.i.Jl....4..6..).I..3..@~.....U@l. ...DV.s..P...".3.... .?j.`..mD..h4.-...B.!T..j..o.T. 0h......W....C.0..mP..+.@....B...-.(....m.. ......qY......4...mK.B.9...l......+......8....H@6`.AE. @u..BiU.2.6*h....J0. .....{.$..........L..)`.. ...........!.o`......06..}..EUp;...!V@H .....L..`..N..@.p..N.....0.....T.%..

C:\Users\user\AppData\Local\Temp\selectee

Process:	C:\Users\user\Desktop\1lAxaLKP7E.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	86022
Entropy (8bit):	4.178944547569951
Encrypted:	false
SSDEEP:	1536:1BFej+WYxpZHoVTmfvXydXrbTjQtj1ueEu:1BFzzx2mf/yBcj1NP
MD5:	75C99184982434A488C1FC86593E886C
SHA1:	42FBBAF113BD3351D095786253D8AA5302450786
SHA-256:	7FD40D14212C6505A194F2EB022BEE7ED787C21B8627CA75B3E7956CFF3329E3
SHA-512:	3784A3BF25B646E6FA24CB9021ADFAE07FE91572036DFC520204ABAEE532560C3A4C933A53B06DDCF1C499F3D6DF6EC69C22A688B9081D2F7CFA54C8B1C2E013
Malicious:	false
Reputation:	low
Preview:	30W78H35E35Q38E62Q65L63R38L31N65P63E63J63H30Y32D30V30P30F30F35B36F35G37H62A38G36X62J30I30Q30M30R30Q30M36H36C38X39V34K35B38E34B62M39P36U35C30K30G30A30X30F30Z36S36G38H39D34V64S38D36E62N61F37L32O30H30G30L30Y30S30U36N36Z38A39I35W35X38G38H62L38K36L65G30F30Y30U30T30S30O36G36C38C39P34A35S38F61X62Y39A36M35D30E30W30M30A30V30E36Q36Y38G39P34Z64N38L63K62Y61V36X63Y30P30W30Q30V30G30M36Y36C38C39N35Z35X38W65B62Y38A33C33T30J30V30O30V30J30P36E36K38G39I34Y35R39L30Y62U39Y33I32O30G30P30H30F30C30B36K36J38S39S34G64V39B32G62P61L32X65E30O30O30J30A30L30N36F36R38S39T35R35T39U34O62E38V36E34C30H30M30U30R30L30N36R36O38V39D34Q35N39E36C62S39O36J63F30L30E30U30R30O30T36S36D38C39S34V64C39V38U62Y61F36M63B30U30Y30A30J30J30Q36Q36S38X39P35E35Q39R61V33M33H63Y30D36R36T38V39B34F35H39K63S62O39Z36F65D30F30D30T30D30Z30E36Y36E38J39G38T64I34B34X66R66M66R66L66B66H62D61W37M34Z30Z30B30I30U30V30D36G36S38Z39M39H35P34F36A66J66B66T66F66D66E62M38D36Z34G30I30K30I30T30W30Z36B36G38M39F38D35G34W38L66L66S66E66P66A66T62O39L36E63X30L30J30X30L30D3

C:\Users\user\Desktop\._cache_svchost.exe

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	286720
Entropy (8bit):	7.963765407781625
Encrypted:	false
SSDEEP:	6144:YDROfDbDjSYR8LqOzuyj6Ck6pXGfJhBtzTWQCOe2D:YDR2nSKFO5jM6GvBRWQ3e
MD5:	8A4835835C59FDB159CF2F3EF7CF2907
SHA1:	43EF2C70461814EA5BB6AE7EA6F28F3E6B9B87B2
SHA-256:	4E1ECCC2E1AB923F3A969538565E31C6ECB3DC61207D6CD2107F2FB002CFDD83
SHA-512:	137E9FBA7DB3E6AA3B9C49E93F60E0896FC7918DD79410BF31FC6B43D9C3539B00D79FDC1557D2F017EFA590D6383CFFE21DFA2EA9B31141CD0AFD03F466DABE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Reputation:	low
Preview:	MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$.......y...=`g.=`g.=`g.....:`g.....<`g.....<`g.Rich=`g.........PE..L....:.U.................N...................`....@..........................`............@..........................................................................................................................................................text...4L.......N.................. ..`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5507491163708
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1lAxaLKP7E.exe
File size:	1'904'640 bytes
MD5:	98c1a12ce79248bbdb4c8a65fc227e58
SHA1:	259ae7a3d239a352db772433075f649d5fbda8e7
SHA256:	91b60b1ae0b37343c671b632eb3e358d9a5029c9c6405556ba835528c67fd6d8
SHA512:	a08eb3182c8cc7b3cc7880ff644de60951a3476dd0325b63d306f1c7f48cde40d21bfa76d85a23c6a6f545f16b30d99372f8bfb876d1c1ae928ad75e713a8c7e
SSDEEP:	49152:tTvC/MTQYxsWR7a05iPEgLwJqejB/aWN7vaYz:BjTQYxsWR3gMJqWaAJ
TLSH:	C495E10233D1C062FF9B95334F9AF65156BD6A260123E62F13A81C79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CC5BD1 [Mon Aug 26 10:41:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE1348EEDE3h
jmp 00007FE1348EE6EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE1348EE8CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE1348EE89Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE1348F148Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE1348F14D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE1348F14C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xfa53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1cf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xfa53c	0xfa600	ec6dbe7af996d8b891d35e8baa493ec4	False	0.9739960371942087	data	7.978192152268509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1cf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xf1802	data			1.000314399920743
RT_GROUP_ICON	0x1cdfbc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1ce034	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1ce048	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1ce05c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1ce070	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1ce14c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	08:31:06
Start date:	05/09/2024
Path:	C:\Users\user\Desktop\1lAxaLKP7E.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1lAxaLKP7E.exe"
Imagebase:	0x670000
File size:	1'904'640 bytes
MD5 hash:	98C1A12CE79248BBDB4C8A65FC227E58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	08:31:15
Start date:	05/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1lAxaLKP7E.exe"
Imagebase:	0x520000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	08:31:16
Start date:	05/09/2024
Path:	C:\Users\user\Desktop\._cache_svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_svchost.exe"
Imagebase:	0x630000
File size:	286'720 bytes
MD5 hash:	8A4835835C59FDB159CF2F3EF7CF2907
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	08:31:16
Start date:	05/09/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x70000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	08:31:28
Start date:	05/09/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe"
Imagebase:	0x70000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true