Windows Analysis Report
Quote 19847222.exe

Overview

General Information

Sample name: Quote 19847222.exe
Analysis ID: 1650070
MD5: 48bda4cfb72f7a8f347155ef95495944
SHA1: 82e32a202d3d415857ff8726cb1bd863e0eaf75c
SHA256: 9c689e14e962be39ed10e032213d07181a1bc09101774674e5fd561d8bfec7ac
Tags: exeuser-TeamDreier
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.kantad.xyz/19mv/?Vthd=m4ZDmUsWOZNyQ7rcI3Jnh0D98CGGzlqcN4sVj++dpMHtIooNiMtznlQs2pIYE9vFjoT3bvOz4K0ixAk5+xbuYi5t4Dn+TL8JJ7xaio/b8rSKiaTz2A==&Sbo=phnX Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Quote 19847222.exe Virustotal: Detection: 61% Perma Link
Source: Quote 19847222.exe ReversingLabs: Detection: 66%
Yara detected FormBook
Source: Yara match File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1187016684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2339516938.0000000005160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1429074822.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1429036738.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1187340104.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1187682843.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2337872709.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: Quote 19847222.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: recover.pdb source: svchost.exe, 00000001.00000002.1187175340.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187191686.0000000003012000.00000004.00000020.00020000.00000000.sdmp, NyiehbWuZxeF.exe, 00000002.00000002.2336995225.00000000007BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Quote 19847222.exe, 00000000.00000003.1085940221.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Quote 19847222.exe, 00000000.00000003.1085671212.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187368086.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1088137439.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187368086.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1090482040.0000000003400000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.1429269901.000000000381E000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1190723298.00000000034D1000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.1429269901.0000000003680000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1188444639.0000000003323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Quote 19847222.exe, 00000000.00000003.1085940221.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Quote 19847222.exe, 00000000.00000003.1085671212.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1187368086.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1088137439.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187368086.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1090482040.0000000003400000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000003.00000002.1429269901.000000000381E000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1190723298.00000000034D1000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.1429269901.0000000003680000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1188444639.0000000003323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: recover.pdbGCTL source: svchost.exe, 00000001.00000002.1187175340.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187191686.0000000003012000.00000004.00000020.00020000.00000000.sdmp, NyiehbWuZxeF.exe, 00000002.00000002.2336995225.00000000007BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: recover.exe, 00000003.00000002.1429623747.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 00000003.00000002.1428490368.0000000003233000.00000004.00000020.00020000.00000000.sdmp, NyiehbWuZxeF.exe, 00000006.00000000.1256100264.0000000002D2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2335765535.000000002786C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: recover.exe, 00000003.00000002.1429623747.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 00000003.00000002.1428490368.0000000003233000.00000004.00000020.00020000.00000000.sdmp, NyiehbWuZxeF.exe, 00000006.00000000.1256100264.0000000002D2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2335765535.000000002786C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NyiehbWuZxeF.exe, 00000002.00000002.2336396806.000000000019F000.00000002.00000001.01000000.00000004.sdmp, NyiehbWuZxeF.exe, 00000006.00000002.2335985021.000000000019F000.00000002.00000001.01000000.00000004.sdmp
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030445A GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0030445A
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030C6D1 FindFirstFileW,FindClose, 0_2_0030C6D1
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0030C75C
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0030F3F3
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_003037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_003037EF
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00303B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00303B12

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: www.kantad.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 76.223.54.146 76.223.54.146
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_003122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_003122EE
Source: global traffic HTTP traffic detected: GET /19mv/?Vthd=m4ZDmUsWOZNyQ7rcI3Jnh0D98CGGzlqcN4sVj++dpMHtIooNiMtznlQs2pIYE9vFjoT3bvOz4K0ixAk5+xbuYi5t4Dn+TL8JJ7xaio/b8rSKiaTz2A==&Sbo=phnX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.kantad.xyzUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Source: global traffic DNS traffic detected: DNS query: www.kantad.xyz
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: recover.exe, 00000003.00000002.1428490368.0000000003250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: recover.exe, 00000003.00000002.1428490368.0000000003250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: recover.exe, 00000003.00000003.1367360274.000000000812A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: recover.exe, 00000003.00000002.1428490368.0000000003250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: recover.exe, 00000003.00000002.1428490368.0000000003250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: recover.exe, 00000003.00000002.1428490368.0000000003250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: recover.exe, 00000003.00000002.1428490368.0000000003250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: recover.exe, 00000003.00000003.1372499971.000000000814E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_0030001C
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0032CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0032CABC

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1187016684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2339516938.0000000005160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1429074822.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1429036738.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1187340104.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1187682843.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2337872709.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: This is a third-party compiled AutoIt script. 0_2_002A3B3A
Source: Quote 19847222.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Quote 19847222.exe, 00000000.00000002.1087941270.0000000000354000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8267e46e-8
Source: Quote 19847222.exe, 00000000.00000002.1087941270.0000000000354000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_1f99da32-a
Source: Quote 19847222.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b018ff92-c
Source: Quote 19847222.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_f28c91a7-4
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0042CB63 NtClose, 1_2_0042CB63
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672B60 NtClose,LdrInitializeThunk, 1_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk, 1_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk, 1_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03674340 NtSetContextThread, 1_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03674650 NtSuspendThread, 1_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672BE0 NtQueryValueKey, 1_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672BF0 NtAllocateVirtualMemory, 1_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672BA0 NtEnumerateValueKey, 1_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672B80 NtQueryInformationFile, 1_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672AF0 NtWriteFile, 1_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672AD0 NtReadFile, 1_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672AB0 NtWaitForSingleObject, 1_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672F60 NtCreateProcessEx, 1_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672F30 NtCreateSection, 1_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672FE0 NtCreateFile, 1_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672FA0 NtQuerySection, 1_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672FB0 NtResumeThread, 1_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672F90 NtProtectVirtualMemory, 1_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672E30 NtWriteVirtualMemory, 1_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672EE0 NtQueueApcThread, 1_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672EA0 NtAdjustPrivilegesToken, 1_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672E80 NtReadVirtualMemory, 1_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672D30 NtUnmapViewOfSection, 1_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672D00 NtSetInformationFile, 1_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672D10 NtMapViewOfSection, 1_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672DD0 NtDelayExecution, 1_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672DB0 NtEnumerateKey, 1_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672C60 NtCreateKey, 1_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672C00 NtQueryInformationProcess, 1_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672CF0 NtOpenProcess, 1_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672CC0 NtQueryVirtualMemory, 1_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672CA0 NtQueryInformationToken, 1_2_03672CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03673010 NtOpenDirectoryObject, 1_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03673090 NtSetValueKey, 1_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036739B0 NtGetContextThread, 1_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03673D70 NtOpenThread, 1_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03673D10 NtOpenProcessToken, 1_2_03673D10
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F4340 NtSetContextThread,LdrInitializeThunk, 3_2_036F4340
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F4650 NtSuspendThread,LdrInitializeThunk, 3_2_036F4650
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2B60 NtClose,LdrInitializeThunk, 3_2_036F2B60
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2BE0 NtQueryValueKey,LdrInitializeThunk, 3_2_036F2BE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_036F2BF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2BA0 NtEnumerateValueKey,LdrInitializeThunk, 3_2_036F2BA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2AF0 NtWriteFile,LdrInitializeThunk, 3_2_036F2AF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2AD0 NtReadFile,LdrInitializeThunk, 3_2_036F2AD0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2F30 NtCreateSection,LdrInitializeThunk, 3_2_036F2F30
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2FE0 NtCreateFile,LdrInitializeThunk, 3_2_036F2FE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2FB0 NtResumeThread,LdrInitializeThunk, 3_2_036F2FB0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2EE0 NtQueueApcThread,LdrInitializeThunk, 3_2_036F2EE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2E80 NtReadVirtualMemory,LdrInitializeThunk, 3_2_036F2E80
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2D30 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_036F2D30
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2D10 NtMapViewOfSection,LdrInitializeThunk, 3_2_036F2D10
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_036F2DF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2DD0 NtDelayExecution,LdrInitializeThunk, 3_2_036F2DD0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2C60 NtCreateKey,LdrInitializeThunk, 3_2_036F2C60
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2C70 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_036F2C70
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2CA0 NtQueryInformationToken,LdrInitializeThunk, 3_2_036F2CA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F35C0 NtCreateMutant,LdrInitializeThunk, 3_2_036F35C0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F39B0 NtGetContextThread,LdrInitializeThunk, 3_2_036F39B0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2B80 NtQueryInformationFile, 3_2_036F2B80
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2AB0 NtWaitForSingleObject, 3_2_036F2AB0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2F60 NtCreateProcessEx, 3_2_036F2F60
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2FA0 NtQuerySection, 3_2_036F2FA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2F90 NtProtectVirtualMemory, 3_2_036F2F90
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2E30 NtWriteVirtualMemory, 3_2_036F2E30
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2EA0 NtAdjustPrivilegesToken, 3_2_036F2EA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2D00 NtSetInformationFile, 3_2_036F2D00
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2DB0 NtEnumerateKey, 3_2_036F2DB0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2C00 NtQueryInformationProcess, 3_2_036F2C00
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2CF0 NtOpenProcess, 3_2_036F2CF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F2CC0 NtQueryVirtualMemory, 3_2_036F2CC0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F3010 NtOpenDirectoryObject, 3_2_036F3010
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F3090 NtSetValueKey, 3_2_036F3090
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F3D70 NtOpenThread, 3_2_036F3D70
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F3D10 NtOpenProcessToken, 3_2_036F3D10
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347EFCD NtQueryInformationProcess,NtReadVirtualMemory, 3_2_0347EFCD
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347F8B8 NtUnmapViewOfSection, 3_2_0347F8B8
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00303D61: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00303D61
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002F8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_002F8310
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_003051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_003051BD
Detected potential crypto function
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002AE6A0 0_2_002AE6A0
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002CD975 0_2_002CD975
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002AFCE0 0_2_002AFCE0
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C21C5 0_2_002C21C5
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002D62D2 0_2_002D62D2
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002D242E 0_2_002D242E
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C25FA 0_2_002C25FA
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002FE616 0_2_002FE616
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002B66E1 0_2_002B66E1
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002D878F 0_2_002D878F
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002B8808 0_2_002B8808
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00320857 0_2_00320857
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002D6844 0_2_002D6844
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00308889 0_2_00308889
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002CCB21 0_2_002CCB21
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002D6DB6 0_2_002D6DB6
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002B6F9E 0_2_002B6F9E
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002B3030 0_2_002B3030
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C3187 0_2_002C3187
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002CF1D9 0_2_002CF1D9
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002A1287 0_2_002A1287
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C1484 0_2_002C1484
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002B5520 0_2_002B5520
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C7696 0_2_002C7696
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002B5760 0_2_002B5760
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C1978 0_2_002C1978
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002D9AB5 0_2_002D9AB5
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002CBDA6 0_2_002CBDA6
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C1D90 0_2_002C1D90
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00327DDB 0_2_00327DDB
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002ADF00 0_2_002ADF00
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002B3FE0 0_2_002B3FE0
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00B70348 0_2_00B70348
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004019FB 1_2_004019FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00418AA3 1_2_00418AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004030D0 1_2_004030D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0042F163 1_2_0042F163
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00402970 1_2_00402970
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004102CA 1_2_004102CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004102D3 1_2_004102D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00401CC0 1_2_00401CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040E4E9 1_2_0040E4E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004104F3 1_2_004104F3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040E4F3 1_2_0040E4F3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00416CAE 1_2_00416CAE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00416CB3 1_2_00416CB3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00402D20 1_2_00402D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004025D0 1_2_004025D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040E643 1_2_0040E643
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040E63C 1_2_0040E63C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040E68C 1_2_0040E68C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FA352 1_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E3F0 1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_037003E6 1_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C02C0 1_2_036C02C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C8158 1_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630100 1_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DA118 1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F81CC 1_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F41A2 1_2_036F41A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_037001AA 1_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_037021AE 1_2_037021AE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03664750 1_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363C7C0 1_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365C6E0 1_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640535 1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03700591 1_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F2446 1_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E4420 1_2_036E4420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EE4F6 1_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FAB40 1_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F6BD7 1_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FEB89 1_2_036FEB89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03656962 1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364A840 1_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E8F0 1_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036268B8 1_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B4F40 1_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03682F28 1_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03660F30 1_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E2F30 1_2_036E2F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03632FC8 1_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BEFA0 1_2_036BEFA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FEE26 1_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FEEDB 1_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03652E90 1_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FCE93 1_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364AD00 1_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DCD1F 1_2_036DCD1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363ADE0 1_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03648DC0 1_2_03648DC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03658DBF 1_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640C00 1_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630CF2 1_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362D34C 1_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F132D 1_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E12ED 1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365D2F0 1_2_0365D2F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365B2C0 1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036452A0 1_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0367516C 1_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362F172 1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0370B16B 1_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364B1B0 1_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F70E9 1_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FF0E0 1_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EF0CC 1_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036317EC 1_2_036317EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FF7B0 1_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03685630 1_2_03685630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F16CC 1_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F7571 1_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_037095C3 1_2_037095C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DD5B0 1_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03631460 1_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FF43F 1_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FFB76 1_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B5BF0 1_2_036B5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0367DBF9 1_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365FB80 1_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B3A6C 1_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FFA49 1_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F7A46 1_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EDAC6 1_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DDAAC 1_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E1AA3 1_2_036E1AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03649950 1_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365B950 1_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D5910 1_2_036D5910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03645990 1_2_03645990
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AD800 1_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036438E0 1_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FFF09 1_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03603FD2 1_2_03603FD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03603FD5 1_2_03603FD5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FFFB1 1_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03641F92 1_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03649EB0 1_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F7D73 1_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F1D5A 1_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365FDC0 1_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B9C32 1_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FFCF2 1_2_036FFCF2
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377A352 3_2_0377A352
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036CE3F0 3_2_036CE3F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037803E6 3_2_037803E6
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037402C0 3_2_037402C0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03748158 3_2_03748158
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036B0100 3_2_036B0100
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0375A118 3_2_0375A118
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037781CC 3_2_037781CC
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037801AA 3_2_037801AA
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037741A2 3_2_037741A2
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037821AE 3_2_037821AE
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03752000 3_2_03752000
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C0770 3_2_036C0770
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036E4750 3_2_036E4750
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036BC7C0 3_2_036BC7C0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036DC6E0 3_2_036DC6E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C0535 3_2_036C0535
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03780591 3_2_03780591
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03772446 3_2_03772446
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03764420 3_2_03764420
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0376E4F6 3_2_0376E4F6
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377AB40 3_2_0377AB40
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03776BD7 3_2_03776BD7
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377EB89 3_2_0377EB89
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036BEA80 3_2_036BEA80
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036D6962 3_2_036D6962
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C29A0 3_2_036C29A0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036CA840 3_2_036CA840
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036EE8F0 3_2_036EE8F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036A68B8 3_2_036A68B8
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03734F40 3_2_03734F40
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03762F30 3_2_03762F30
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03702F28 3_2_03702F28
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036E0F30 3_2_036E0F30
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036B2FC8 3_2_036B2FC8
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0373EFA0 3_2_0373EFA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377EE26 3_2_0377EE26
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377EEDB 3_2_0377EEDB
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377CE93 3_2_0377CE93
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036D2E90 3_2_036D2E90
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0375CD1F 3_2_0375CD1F
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036CAD00 3_2_036CAD00
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036BADE0 3_2_036BADE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C8DC0 3_2_036C8DC0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036D8DBF 3_2_036D8DBF
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C0C00 3_2_036C0C00
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036B0CF2 3_2_036B0CF2
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036AD34C 3_2_036AD34C
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377132D 3_2_0377132D
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037612ED 3_2_037612ED
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036DD2F0 3_2_036DD2F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036DB2C0 3_2_036DB2C0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C52A0 3_2_036C52A0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036F516C 3_2_036F516C
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0378B16B 3_2_0378B16B
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036AF172 3_2_036AF172
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036CB1B0 3_2_036CB1B0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377F0E0 3_2_0377F0E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037770E9 3_2_037770E9
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0376F0CC 3_2_0376F0CC
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036B17EC 3_2_036B17EC
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377F7B0 3_2_0377F7B0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03705630 3_2_03705630
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037716CC 3_2_037716CC
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03777571 3_2_03777571
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_037895C3 3_2_037895C3
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0375D5B0 3_2_0375D5B0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036B1460 3_2_036B1460
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377F43F 3_2_0377F43F
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377FB76 3_2_0377FB76
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03735BF0 3_2_03735BF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036FDBF9 3_2_036FDBF9
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036DFB80 3_2_036DFB80
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03733A6C 3_2_03733A6C
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03777A46 3_2_03777A46
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377FA49 3_2_0377FA49
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0376DAC6 3_2_0376DAC6
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03761AA3 3_2_03761AA3
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0375DAAC 3_2_0375DAAC
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C9950 3_2_036C9950
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036DB950 3_2_036DB950
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03755910 3_2_03755910
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C5990 3_2_036C5990
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0372D800 3_2_0372D800
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C38E0 3_2_036C38E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377FF09 3_2_0377FF09
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03683FD2 3_2_03683FD2
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03683FD5 3_2_03683FD5
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377FFB1 3_2_0377FFB1
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C1F92 3_2_036C1F92
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036C9EB0 3_2_036C9EB0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03777D73 3_2_03777D73
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03771D5A 3_2_03771D5A
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036DFDC0 3_2_036DFDC0
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03739C32 3_2_03739C32
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0377FCF2 3_2_0377FCF2
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347EFCD 3_2_0347EFCD
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347E2F8 3_2_0347E2F8
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347E7AD 3_2_0347E7AD
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347E57B 3_2_0347E57B
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347E413 3_2_0347E413
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347D878 3_2_0347D878
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: String function: 002C8900 appears 36 times
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: String function: 002C0AE3 appears 70 times
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: String function: 002A7DE1 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 036AEA12 appears 76 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03675130 appears 53 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 036BF290 appears 98 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0362B970 appears 210 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03687E54 appears 102 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 0373F290 appears 98 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 03707E54 appears 102 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 0372EA12 appears 76 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 036F5130 appears 53 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 036AB970 appears 210 times
Sample file is different than original file name gathered from version info
Source: Quote 19847222.exe, 00000000.00000003.1085257134.00000000036AD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quote 19847222.exe
Source: Quote 19847222.exe, 00000000.00000003.1085940221.0000000003553000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quote 19847222.exe
Uses 32bit PE files
Source: Quote 19847222.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/3@1/1
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030A06A GetLastError,FormatMessageW, 0_2_0030A06A
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002F81CB AdjustTokenPrivileges,CloseHandle, 0_2_002F81CB
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002F87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_002F87E1
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_0030B333
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0031EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0031EE0D
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_003183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 0_2_003183BB
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002A4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_002A4E89
Source: C:\Users\user\Desktop\Quote 19847222.exe File created: C:\Users\user\AppData\Local\Temp\autA37.tmp Jump to behavior
Source: Quote 19847222.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Quote 19847222.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: recover.exe, 00000003.00000002.1428490368.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1368593131.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.1428490368.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.1428490368.00000000032E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Quote 19847222.exe Virustotal: Detection: 61%
Source: Quote 19847222.exe ReversingLabs: Detection: 66%
Source: unknown Process created: C:\Users\user\Desktop\Quote 19847222.exe "C:\Users\user\Desktop\Quote 19847222.exe"
Source: C:\Users\user\Desktop\Quote 19847222.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Quote 19847222.exe"
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Process created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe"
Source: C:\Windows\SysWOW64\recover.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Quote 19847222.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Quote 19847222.exe" Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Process created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe" Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Quote 19847222.exe Static file information: File size 1194496 > 1048576
Source: Quote 19847222.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Quote 19847222.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Quote 19847222.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Quote 19847222.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Quote 19847222.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Quote 19847222.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Quote 19847222.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: recover.pdb source: svchost.exe, 00000001.00000002.1187175340.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187191686.0000000003012000.00000004.00000020.00020000.00000000.sdmp, NyiehbWuZxeF.exe, 00000002.00000002.2336995225.00000000007BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Quote 19847222.exe, 00000000.00000003.1085940221.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Quote 19847222.exe, 00000000.00000003.1085671212.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187368086.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1088137439.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187368086.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1090482040.0000000003400000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.1429269901.000000000381E000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1190723298.00000000034D1000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.1429269901.0000000003680000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1188444639.0000000003323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Quote 19847222.exe, 00000000.00000003.1085940221.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Quote 19847222.exe, 00000000.00000003.1085671212.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1187368086.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1088137439.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187368086.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1090482040.0000000003400000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000003.00000002.1429269901.000000000381E000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1190723298.00000000034D1000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.1429269901.0000000003680000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1188444639.0000000003323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: recover.pdbGCTL source: svchost.exe, 00000001.00000002.1187175340.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1187191686.0000000003012000.00000004.00000020.00020000.00000000.sdmp, NyiehbWuZxeF.exe, 00000002.00000002.2336995225.00000000007BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: recover.exe, 00000003.00000002.1429623747.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 00000003.00000002.1428490368.0000000003233000.00000004.00000020.00020000.00000000.sdmp, NyiehbWuZxeF.exe, 00000006.00000000.1256100264.0000000002D2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2335765535.000000002786C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: recover.exe, 00000003.00000002.1429623747.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 00000003.00000002.1428490368.0000000003233000.00000004.00000020.00020000.00000000.sdmp, NyiehbWuZxeF.exe, 00000006.00000000.1256100264.0000000002D2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2335765535.000000002786C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NyiehbWuZxeF.exe, 00000002.00000002.2336396806.000000000019F000.00000002.00000001.01000000.00000004.sdmp, NyiehbWuZxeF.exe, 00000006.00000002.2335985021.000000000019F000.00000002.00000001.01000000.00000004.sdmp
Source: Quote 19847222.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Quote 19847222.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Quote 19847222.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Quote 19847222.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Quote 19847222.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002A4B37 LoadLibraryA,GetProcAddress, 0_2_002A4B37
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030848F push FFFFFF8Bh; iretd 0_2_00308491
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C8945 push ecx; ret 0_2_002C8958
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040214B push cs; ret 1_2_0040214D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004181E4 pushfd ; iretd 1_2_004181EA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00416A21 push esi; iretd 1_2_00416A24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00403350 push eax; ret 1_2_00403352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00419317 push ds; ret 1_2_00419318
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004143A3 pushfd ; retf 1_2_004143A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040D456 push 6E167C32h; retf 1_2_0040D45C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00419415 push edi; retf 1_2_00419416
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00411C33 pushad ; retf 1_2_00411C34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00411DEB pushad ; ret 1_2_00411DF8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040A5B3 push edi; ret 1_2_0040A5BD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00413F4B pushfd ; iretd 1_2_00413F4F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00418735 push esp; ret 1_2_00418736
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00417793 pushfd ; iretd 1_2_004177B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0360225F pushad ; ret 1_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036027FA pushad ; ret 1_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036309AD push ecx; mov dword ptr [esp], ecx 1_2_036309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0360283D push eax; iretd 1_2_03602858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0360135F push eax; iretd 1_2_03601369
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0368225F pushad ; ret 3_2_036827F9
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036827FA pushad ; ret 3_2_036827F9
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_036B09AD push ecx; mov dword ptr [esp], ecx 3_2_036B09B6
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0368283D push eax; iretd 3_2_03682858
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0368135E push eax; iretd 3_2_03681369
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347C342 pushfd ; retf 3_2_0347C3A1
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_0347C360 pushfd ; retf 3_2_0347C3A1
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03485152 push eax; ret 3_2_03485154
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03475072 push eax; ret 3_2_03475073
Source: C:\Windows\SysWOW64\recover.exe Code function: 3_2_03473DA4 push eax; iretd 3_2_03473DA5
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00325376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00325376
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_002C3187
Source: C:\Users\user\Desktop\Quote 19847222.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Quote 19847222.exe API/Special instruction interceptor: Address: B6FF6C
Source: C:\Windows\SysWOW64\recover.exe API/Special instruction interceptor: Address: 7FFA424ED324
Source: C:\Windows\SysWOW64\recover.exe API/Special instruction interceptor: Address: 7FFA424ED7E4
Source: C:\Windows\SysWOW64\recover.exe API/Special instruction interceptor: Address: 7FFA424ED944
Source: C:\Windows\SysWOW64\recover.exe API/Special instruction interceptor: Address: 7FFA424ED504
Source: C:\Windows\SysWOW64\recover.exe API/Special instruction interceptor: Address: 7FFA424ED544
Source: C:\Windows\SysWOW64\recover.exe API/Special instruction interceptor: Address: 7FFA424ED1E4
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00418433 rdtsc 1_2_00418433
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Quote 19847222.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Quote 19847222.exe API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\recover.exe API coverage: 1.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe TID: 560 Thread sleep time: -95000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030445A GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0030445A
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030C6D1 FindFirstFileW,FindClose, 0_2_0030C6D1
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0030C75C
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_0030F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0030F3F3
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_003037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_003037EF
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00303B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00303B12
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_002A49A0
Source: 437G6NM-7.3.dr Binary or memory string: dev.azure.comVMware20,11696497155j
Source: 437G6NM-7.3.dr Binary or memory string: global block list test formVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: 437G6NM-7.3.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: 437G6NM-7.3.dr Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: 437G6NM-7.3.dr Binary or memory string: tasks.office.comVMware20,11696497155o
Source: 437G6NM-7.3.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: recover.exe, 00000003.00000002.1428490368.0000000003233000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: NyiehbWuZxeF.exe, 00000006.00000002.2337601001.0000000000D89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: 437G6NM-7.3.dr Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: 437G6NM-7.3.dr Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: 437G6NM-7.3.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: 437G6NM-7.3.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: 437G6NM-7.3.dr Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: 437G6NM-7.3.dr Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: 437G6NM-7.3.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: AMC password management pageVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: 437G6NM-7.3.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: 437G6NM-7.3.dr Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 437G6NM-7.3.dr Binary or memory string: discord.comVMware20,11696497155f
Source: 437G6NM-7.3.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: 437G6NM-7.3.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: 437G6NM-7.3.dr Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: 437G6NM-7.3.dr Binary or memory string: outlook.office.comVMware20,11696497155s
Source: 437G6NM-7.3.dr Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: 437G6NM-7.3.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: 437G6NM-7.3.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\Desktop\Quote 19847222.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00418433 rdtsc 1_2_00418433
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00417C43 LdrLoadDll, 1_2_00417C43
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00313F09 BlockInput, 0_2_00313F09
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_002A3B3A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002D5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_002D5A7C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002A4B37 LoadLibraryA,GetProcAddress, 0_2_002A4B37
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00B701D8 mov eax, dword ptr fs:[00000030h] 0_2_00B701D8
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00B70238 mov eax, dword ptr fs:[00000030h] 0_2_00B70238
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00B6EB78 mov eax, dword ptr fs:[00000030h] 0_2_00B6EB78
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D437C mov eax, dword ptr fs:[00000030h] 1_2_036D437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h] 1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h] 1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h] 1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h] 1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h] 1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h] 1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h] 1_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D8350 mov ecx, dword ptr fs:[00000030h] 1_2_036D8350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0370634F mov eax, dword ptr fs:[00000030h] 1_2_0370634F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h] 1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03708324 mov ecx, dword ptr fs:[00000030h] 1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h] 1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h] 1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h] 1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h] 1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h] 1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h] 1_2_0362C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h] 1_2_03650310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h] 1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h] 1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h] 1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h] 1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h] 1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h] 1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h] 1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h] 1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h] 1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h] 1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h] 1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036663FF mov eax, dword ptr fs:[00000030h] 1_2_036663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h] 1_2_036EC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h] 1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h] 1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h] 1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h] 1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h] 1_2_036B63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h] 1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h] 1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE3DB mov ecx, dword ptr fs:[00000030h] 1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h] 1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h] 1_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h] 1_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365438F mov eax, dword ptr fs:[00000030h] 1_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365438F mov eax, dword ptr fs:[00000030h] 1_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h] 1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h] 1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h] 1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h] 1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h] 1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h] 1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h] 1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h] 1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h] 1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362826B mov eax, dword ptr fs:[00000030h] 1_2_0362826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h] 1_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h] 1_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0370625D mov eax, dword ptr fs:[00000030h] 1_2_0370625D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h] 1_2_0362A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636259 mov eax, dword ptr fs:[00000030h] 1_2_03636259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h] 1_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h] 1_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362823B mov eax, dword ptr fs:[00000030h] 1_2_0362823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h] 1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h] 1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h] 1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_037062D6 mov eax, dword ptr fs:[00000030h] 1_2_037062D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h] 1_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h] 1_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h] 1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h] 1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h] 1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h] 1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h] 1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h] 1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h] 1_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h] 1_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h] 1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h] 1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h] 1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704164 mov eax, dword ptr fs:[00000030h] 1_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704164 mov eax, dword ptr fs:[00000030h] 1_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h] 1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h] 1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h] 1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h] 1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h] 1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h] 1_2_0362C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h] 1_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636154 mov eax, dword ptr fs:[00000030h] 1_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636154 mov eax, dword ptr fs:[00000030h] 1_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03660124 mov eax, dword ptr fs:[00000030h] 1_2_03660124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h] 1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h] 1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h] 1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h] 1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h] 1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h] 1_2_036F0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h] 1_2_037061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h] 1_2_036601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h] 1_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h] 1_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h] 1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h] 1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h] 1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h] 1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h] 1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_037021AE mov eax, dword ptr fs:[00000030h] 1_2_037021AE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03670185 mov eax, dword ptr fs:[00000030h] 1_2_03670185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h] 1_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h] 1_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h] 1_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h] 1_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h] 1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h] 1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h] 1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h] 1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h] 1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h] 1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h] 1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h] 1_2_0365C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03632050 mov eax, dword ptr fs:[00000030h] 1_2_03632050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h] 1_2_036B6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h] 1_2_0362A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h] 1_2_0362C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C6030 mov eax, dword ptr fs:[00000030h] 1_2_036C6030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h] 1_2_036B4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h] 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h] 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h] 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h] 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h] 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h] 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h] 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h] 1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h] 1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h] 1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h] 1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h] 1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h] 1_2_0362A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h] 1_2_036380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h] 1_2_036B60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h] 1_2_0362C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h] 1_2_036720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h] 1_2_036B20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036280A0 mov eax, dword ptr fs:[00000030h] 1_2_036280A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h] 1_2_036C80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h] 1_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h] 1_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363208A mov eax, dword ptr fs:[00000030h] 1_2_0363208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03638770 mov eax, dword ptr fs:[00000030h] 1_2_03638770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h] 1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366674D mov esi, dword ptr fs:[00000030h] 1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366674D mov eax, dword ptr fs:[00000030h] 1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366674D mov eax, dword ptr fs:[00000030h] 1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630750 mov eax, dword ptr fs:[00000030h] 1_2_03630750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h] 1_2_036BE75D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672750 mov eax, dword ptr fs:[00000030h] 1_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672750 mov eax, dword ptr fs:[00000030h] 1_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h] 1_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h] 1_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366273C mov eax, dword ptr fs:[00000030h] 1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h] 1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366273C mov eax, dword ptr fs:[00000030h] 1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h] 1_2_036AC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h] 1_2_0366C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630710 mov eax, dword ptr fs:[00000030h] 1_2_03630710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03660710 mov eax, dword ptr fs:[00000030h] 1_2_03660710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h] 1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h] 1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h] 1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h] 1_2_036BE7E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036347FB mov eax, dword ptr fs:[00000030h] 1_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036347FB mov eax, dword ptr fs:[00000030h] 1_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h] 1_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h] 1_2_036B07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036307AF mov eax, dword ptr fs:[00000030h] 1_2_036307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E47A0 mov eax, dword ptr fs:[00000030h] 1_2_036E47A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D678E mov eax, dword ptr fs:[00000030h] 1_2_036D678E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F866E mov eax, dword ptr fs:[00000030h] 1_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F866E mov eax, dword ptr fs:[00000030h] 1_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h] 1_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h] 1_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03662674 mov eax, dword ptr fs:[00000030h] 1_2_03662674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h] 1_2_0364C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h] 1_2_0364E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03666620 mov eax, dword ptr fs:[00000030h] 1_2_03666620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03668620 mov eax, dword ptr fs:[00000030h] 1_2_03668620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363262C mov eax, dword ptr fs:[00000030h] 1_2_0363262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h] 1_2_036AE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h] 1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h] 1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h] 1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h] 1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h] 1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h] 1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h] 1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03672619 mov eax, dword ptr fs:[00000030h] 1_2_03672619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h] 1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h] 1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h] 1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h] 1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h] 1_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h] 1_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A6C7 mov ebx, dword ptr fs:[00000030h] 1_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A6C7 mov eax, dword ptr fs:[00000030h] 1_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366C6A6 mov eax, dword ptr fs:[00000030h] 1_2_0366C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036666B0 mov eax, dword ptr fs:[00000030h] 1_2_036666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03634690 mov eax, dword ptr fs:[00000030h] 1_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03634690 mov eax, dword ptr fs:[00000030h] 1_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h] 1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h] 1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h] 1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03638550 mov eax, dword ptr fs:[00000030h] 1_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03638550 mov eax, dword ptr fs:[00000030h] 1_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h] 1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h] 1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h] 1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h] 1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h] 1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h] 1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h] 1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h] 1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h] 1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h] 1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h] 1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C6500 mov eax, dword ptr fs:[00000030h] 1_2_036C6500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h] 1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h] 1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h] 1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h] 1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h] 1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h] 1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h] 1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h] 1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h] 1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h] 1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h] 1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h] 1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h] 1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h] 1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h] 1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036325E0 mov eax, dword ptr fs:[00000030h] 1_2_036325E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h] 1_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h] 1_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h] 1_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h] 1_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036365D0 mov eax, dword ptr fs:[00000030h] 1_2_036365D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h] 1_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h] 1_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h] 1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h] 1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h] 1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h] 1_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h] 1_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03632582 mov eax, dword ptr fs:[00000030h] 1_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03632582 mov ecx, dword ptr fs:[00000030h] 1_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03664588 mov eax, dword ptr fs:[00000030h] 1_2_03664588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E59C mov eax, dword ptr fs:[00000030h] 1_2_0366E59C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BC460 mov ecx, dword ptr fs:[00000030h] 1_2_036BC460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h] 1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h] 1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h] 1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h] 1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h] 1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h] 1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h] 1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h] 1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h] 1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h] 1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h] 1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EA456 mov eax, dword ptr fs:[00000030h] 1_2_036EA456
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362645D mov eax, dword ptr fs:[00000030h] 1_2_0362645D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365245A mov eax, dword ptr fs:[00000030h] 1_2_0365245A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h] 1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h] 1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h] 1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362C427 mov eax, dword ptr fs:[00000030h] 1_2_0362C427
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h] 1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h] 1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h] 1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h] 1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h] 1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h] 1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h] 1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h] 1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h] 1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h] 1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036304E5 mov ecx, dword ptr fs:[00000030h] 1_2_036304E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036364AB mov eax, dword ptr fs:[00000030h] 1_2_036364AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036644B0 mov ecx, dword ptr fs:[00000030h] 1_2_036644B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BA4B0 mov eax, dword ptr fs:[00000030h] 1_2_036BA4B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036EA49A mov eax, dword ptr fs:[00000030h] 1_2_036EA49A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362CB7E mov eax, dword ptr fs:[00000030h] 1_2_0362CB7E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h] 1_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h] 1_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h] 1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h] 1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h] 1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h] 1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h] 1_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h] 1_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D8B42 mov eax, dword ptr fs:[00000030h] 1_2_036D8B42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FAB40 mov eax, dword ptr fs:[00000030h] 1_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03628B50 mov eax, dword ptr fs:[00000030h] 1_2_03628B50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DEB50 mov eax, dword ptr fs:[00000030h] 1_2_036DEB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h] 1_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h] 1_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h] 1_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h] 1_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704B00 mov eax, dword ptr fs:[00000030h] 1_2_03704B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h] 1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h] 1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h] 1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h] 1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BCBF0 mov eax, dword ptr fs:[00000030h] 1_2_036BCBF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h] 1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h] 1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h] 1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DEBD0 mov eax, dword ptr fs:[00000030h] 1_2_036DEBD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h] 1_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h] 1_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h] 1_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h] 1_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h] 1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h] 1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h] 1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036DEA60 mov eax, dword ptr fs:[00000030h] 1_2_036DEA60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h] 1_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h] 1_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h] 1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h] 1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h] 1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h] 1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h] 1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h] 1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h] 1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h] 1_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h] 1_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366CA24 mov eax, dword ptr fs:[00000030h] 1_2_0366CA24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365EA2E mov eax, dword ptr fs:[00000030h] 1_2_0365EA2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h] 1_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h] 1_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366CA38 mov eax, dword ptr fs:[00000030h] 1_2_0366CA38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BCA11 mov eax, dword ptr fs:[00000030h] 1_2_036BCA11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h] 1_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h] 1_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h] 1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h] 1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h] 1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630AD0 mov eax, dword ptr fs:[00000030h] 1_2_03630AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h] 1_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h] 1_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h] 1_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h] 1_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h] 1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704A80 mov eax, dword ptr fs:[00000030h] 1_2_03704A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03668A90 mov edx, dword ptr fs:[00000030h] 1_2_03668A90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h] 1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h] 1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h] 1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h] 1_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h] 1_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BC97C mov eax, dword ptr fs:[00000030h] 1_2_036BC97C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B0946 mov eax, dword ptr fs:[00000030h] 1_2_036B0946
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704940 mov eax, dword ptr fs:[00000030h] 1_2_03704940
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B892A mov eax, dword ptr fs:[00000030h] 1_2_036B892A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C892B mov eax, dword ptr fs:[00000030h] 1_2_036C892B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h] 1_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h] 1_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BC912 mov eax, dword ptr fs:[00000030h] 1_2_036BC912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03628918 mov eax, dword ptr fs:[00000030h] 1_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03628918 mov eax, dword ptr fs:[00000030h] 1_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BE9E0 mov eax, dword ptr fs:[00000030h] 1_2_036BE9E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h] 1_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h] 1_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C69C0 mov eax, dword ptr fs:[00000030h] 1_2_036C69C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036649D0 mov eax, dword ptr fs:[00000030h] 1_2_036649D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FA9D3 mov eax, dword ptr fs:[00000030h] 1_2_036FA9D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h] 1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036309AD mov eax, dword ptr fs:[00000030h] 1_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036309AD mov eax, dword ptr fs:[00000030h] 1_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B89B3 mov esi, dword ptr fs:[00000030h] 1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h] 1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h] 1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h] 1_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h] 1_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h] 1_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h] 1_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03660854 mov eax, dword ptr fs:[00000030h] 1_2_03660854
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03634859 mov eax, dword ptr fs:[00000030h] 1_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03634859 mov eax, dword ptr fs:[00000030h] 1_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h] 1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h] 1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h] 1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03652835 mov ecx, dword ptr fs:[00000030h] 1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h] 1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h] 1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366A830 mov eax, dword ptr fs:[00000030h] 1_2_0366A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D483A mov eax, dword ptr fs:[00000030h] 1_2_036D483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D483A mov eax, dword ptr fs:[00000030h] 1_2_036D483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BC810 mov eax, dword ptr fs:[00000030h] 1_2_036BC810
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036FA8E4 mov eax, dword ptr fs:[00000030h] 1_2_036FA8E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366C8F9 mov eax, dword ptr fs:[00000030h] 1_2_0366C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366C8F9 mov eax, dword ptr fs:[00000030h] 1_2_0366C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_037008C0 mov eax, dword ptr fs:[00000030h] 1_2_037008C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03630887 mov eax, dword ptr fs:[00000030h] 1_2_03630887
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036BC89D mov eax, dword ptr fs:[00000030h] 1_2_036BC89D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365AF69 mov eax, dword ptr fs:[00000030h] 1_2_0365AF69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365AF69 mov eax, dword ptr fs:[00000030h] 1_2_0365AF69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2F60 mov eax, dword ptr fs:[00000030h] 1_2_036D2F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D2F60 mov eax, dword ptr fs:[00000030h] 1_2_036D2F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03704F68 mov eax, dword ptr fs:[00000030h] 1_2_03704F68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B4F40 mov eax, dword ptr fs:[00000030h] 1_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B4F40 mov eax, dword ptr fs:[00000030h] 1_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B4F40 mov eax, dword ptr fs:[00000030h] 1_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036B4F40 mov eax, dword ptr fs:[00000030h] 1_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D4F42 mov eax, dword ptr fs:[00000030h] 1_2_036D4F42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362CF50 mov eax, dword ptr fs:[00000030h] 1_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362CF50 mov eax, dword ptr fs:[00000030h] 1_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362CF50 mov eax, dword ptr fs:[00000030h] 1_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362CF50 mov eax, dword ptr fs:[00000030h] 1_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362CF50 mov eax, dword ptr fs:[00000030h] 1_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0362CF50 mov eax, dword ptr fs:[00000030h] 1_2_0362CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366CF50 mov eax, dword ptr fs:[00000030h] 1_2_0366CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036D0F50 mov eax, dword ptr fs:[00000030h] 1_2_036D0F50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0365EF28 mov eax, dword ptr fs:[00000030h] 1_2_0365EF28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_036E6F00 mov eax, dword ptr fs:[00000030h] 1_2_036E6F00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0366CF1F mov eax, dword ptr fs:[00000030h] 1_2_0366CF1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03670FF6 mov eax, dword ptr fs:[00000030h] 1_2_03670FF6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03670FF6 mov eax, dword ptr fs:[00000030h] 1_2_03670FF6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_03670FF6 mov eax, dword ptr fs:[00000030h] 1_2_03670FF6
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002F80C9 GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation, 0_2_002F80C9
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002CA124 SetUnhandledExceptionFilter, 0_2_002CA124
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002CA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_002CA155

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtTerminateThread: Direct from: 0x77D32FCC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtSetInformationThread: Direct from: 0x77D263F9 Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtQueryInformationToken: Direct from: 0x77D32CAC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtCreateFile: Direct from: 0x77D32FEC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtOpenFile: Direct from: 0x77D32DCC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtSetInformationProcess: Direct from: 0x77D32C5C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtProtectVirtualMemory: Direct from: 0x77D32F9C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtOpenKeyEx: Direct from: 0x77D32B9C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtResumeThread: Direct from: 0x77D336AC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtMapViewOfSection: Direct from: 0x77D32D1C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtWriteVirtualMemory: Direct from: 0x77D32E3C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtCreateMutant: Direct from: 0x77D335CC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtNotifyChangeKey: Direct from: 0x77D33C2C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtQuerySystemInformation: Direct from: 0x77D32DFC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtReadFile: Direct from: 0x77D32ADC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtAllocateVirtualMemory: Direct from: 0x77D32BFC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtCreateUserProcess: Direct from: 0x77D3371C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtQueryInformationProcess: Direct from: 0x77D32C26 Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtResumeThread: Direct from: 0x77D32FBC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtDelayExecution: Direct from: 0x77D32DDC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtQueryAttributesFile: Direct from: 0x77D32E6C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtSetInformationThread: Direct from: 0x77D32B4C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtReadVirtualMemory: Direct from: 0x77D32E8C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtCreateKey: Direct from: 0x77D32C6C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtClose: Direct from: 0x77D32B6C
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtAllocateVirtualMemory: Direct from: 0x77D33C9C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtWriteVirtualMemory: Direct from: 0x77D3490C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtOpenSection: Direct from: 0x77D32E0C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtQueryVolumeInformationFile: Direct from: 0x77D32F2C Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtProtectVirtualMemory: Direct from: 0x77D27B2E Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtAllocateVirtualMemory: Direct from: 0x77D348EC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtAllocateVirtualMemory: Direct from: 0x77D32BEC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtDeviceIoControlFile: Direct from: 0x77D32AEC Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe NtQuerySystemInformation: Direct from: 0x77D348CC Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Quote 19847222.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: NULL target: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: NULL target: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\recover.exe Thread APC queued: target process: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Quote 19847222.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: B2D008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002F87B1 LogonUserW, 0_2_002F87B1
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_002A3B3A
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_003012C7 SendInput,keybd_event, 0_2_003012C7
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00304C27 mouse_event, 0_2_00304C27
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quote 19847222.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Quote 19847222.exe" Jump to behavior
Source: C:\Program Files (x86)\UDDfWCHuMXUDDHpdtXkoxfwcppdtCeccQyWHNQqcuJccXiGTDyI\NyiehbWuZxeF.exe Process created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe" Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002F7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_002F7CAF
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002F874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_002F874B
Source: Quote 19847222.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: NyiehbWuZxeF.exe, 00000002.00000002.2337276795.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, NyiehbWuZxeF.exe, 00000002.00000000.1108485875.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, NyiehbWuZxeF.exe, 00000006.00000002.2337960762.00000000014C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: Quote 19847222.exe, NyiehbWuZxeF.exe, 00000002.00000002.2337276795.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, NyiehbWuZxeF.exe, 00000002.00000000.1108485875.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, NyiehbWuZxeF.exe, 00000006.00000002.2337960762.00000000014C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: NyiehbWuZxeF.exe, 00000002.00000002.2337276795.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, NyiehbWuZxeF.exe, 00000002.00000000.1108485875.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, NyiehbWuZxeF.exe, 00000006.00000002.2337960762.00000000014C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: NyiehbWuZxeF.exe, 00000002.00000002.2337276795.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, NyiehbWuZxeF.exe, 00000002.00000000.1108485875.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, NyiehbWuZxeF.exe, 00000006.00000002.2337960762.00000000014C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002C862B cpuid 0_2_002C862B
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002D4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_002D4E87
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002E1E06 GetUserNameW, 0_2_002E1E06
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_002A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_002A49A0

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1187016684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2339516938.0000000005160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1429074822.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1429036738.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1187340104.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1187682843.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2337872709.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Quote 19847222.exe Binary or memory string: WIN_81
Source: Quote 19847222.exe Binary or memory string: WIN_XP
Source: Quote 19847222.exe Binary or memory string: WIN_XPe
Source: Quote 19847222.exe Binary or memory string: WIN_VISTA
Source: Quote 19847222.exe Binary or memory string: WIN_7
Source: Quote 19847222.exe Binary or memory string: WIN_8
Source: Quote 19847222.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1187016684.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2339516938.0000000005160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1429074822.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1429036738.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1187340104.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1187682843.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2337872709.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Quote 19847222.exe Code function: 0_2_00316747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00316747
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650070 Sample: Quote 19847222.exe Startdate: 27/03/2025 Architecture: WINDOWS Score: 100 28 www.kantad.xyz 2->28 34 Antivirus detection for URL or domain 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected FormBook 2->38 42 2 other signatures 2->42 10 Quote 19847222.exe 2 2->10         started        signatures3 40 Performs DNS queries to domains with low reputation 28->40 process4 signatures5 54 Binary is likely a compiled AutoIt script file 10->54 56 Writes to foreign memory regions 10->56 58 Maps a DLL or memory area into another process 10->58 13 svchost.exe 10->13         started        process6 signatures7 60 Maps a DLL or memory area into another process 13->60 16 NyiehbWuZxeF.exe 13->16 injected process8 signatures9 32 Found direct / indirect Syscall (likely to bypass EDR) 16->32 19 recover.exe 13 16->19         started        process10 signatures11 44 Tries to steal Mail credentials (via file / registry access) 19->44 46 Tries to harvest and steal browser information (history, passwords, etc) 19->46 48 Maps a DLL or memory area into another process 19->48 50 2 other signatures 19->50 22 NyiehbWuZxeF.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 30 www.kantad.xyz 76.223.54.146, 49693, 80 AMAZON-02US United States 22->30 52 Found direct / indirect Syscall (likely to bypass EDR) 22->52 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
76.223.54.146
 www.kantad.xyz United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
www.kantad.xyz 76.223.54.146 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.kantad.xyz/19mv/?Vthd=m4ZDmUsWOZNyQ7rcI3Jnh0D98CGGzlqcN4sVj++dpMHtIooNiMtznlQs2pIYE9vFjoT3bvOz4K0ixAk5+xbuYi5t4Dn+TL8JJ7xaio/b8rSKiaTz2A==&Sbo=phnX false
  • Avira URL Cloud: malware
 unknown