Windows Analysis Report
Fi#U015f.exe

AV Detection

Source: Fi#U015f.exe

ReversingLabs: Detection: 73%

Source: Yara match	File source: 2.2.svchost.exe.2140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3303150675.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552287327.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552706561.0000000003400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552000811.0000000002140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3303269624.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3301917962.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3303084240.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Fi#U015f.exe

Joe Sandbox ML: detected

Compliance

Source: Fi#U015f.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hnmibsTvfR.exe, 00000004.00000000.2476250910.000000000075E000.00000002.00000001.01000000.00000005.sdmp, hnmibsTvfR.exe, 00000007.00000000.2625552123.000000000075E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Fi#U015f.exe, 00000000.00000003.2080229559.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, Fi#U015f.exe, 00000000.00000003.2080827454.0000000003470000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2460035466.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2458092933.0000000002900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552321823.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552321823.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2554333146.00000000042D6000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3303600933.000000000461E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2552233652.0000000004120000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3303600933.0000000004480000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Fi#U015f.exe, 00000000.00000003.2080229559.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, Fi#U015f.exe, 00000000.00000003.2080827454.0000000003470000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2460035466.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2458092933.0000000002900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552321823.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552321823.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2554333146.00000000042D6000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3303600933.000000000461E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2552233652.0000000004120000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3303600933.0000000004480000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: icsunattend.pdbGCTL source: svchost.exe, 00000002.00000002.2552129774.0000000002619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552114339.0000000002600000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000004.00000002.3302819959.0000000000E68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsunattend.pdb source: svchost.exe, 00000002.00000002.2552129774.0000000002619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552114339.0000000002600000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000004.00000002.3302819959.0000000000E68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: icsunattend.exe, 00000006.00000002.3304456237.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3302124025.0000000000696000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000000.2625798931.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2843915674.00000000338DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: icsunattend.exe, 00000006.00000002.3304456237.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3302124025.0000000000696000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000000.2625798931.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2843915674.00000000338DC000.00000004.80000000.00040000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E86CA9 GetFileAttributesW,FindFirstFileW,FindClose,		0_2_00E86CA9
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,		0_2_00E860DD
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,		0_2_00E863F9
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E8EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,		0_2_00E8EB60
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E8F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,		0_2_00E8F5FA
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E8F56F FindFirstFileW,FindClose,		0_2_00E8F56F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E91B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_00E91B2F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E91C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_00E91C8A
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E91F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,		0_2_00E91F94

Networking

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49861 -> 31.31.196.177:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49812 -> 172.104.82.74:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49900 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49934 -> 13.248.169.48:80

Source:

DNS query: www.aktmarket.xyz

Source: Joe Sandbox View

IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E94EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00E94EB5

Source: global traffic	HTTP traffic detected: GET /2dyu/?RhqLA=IdOhgVq&Zvupu44p=bADo+7fqvlD2EEl6eQvhi6r6MxrwZqr7unPyaN6ymuSYop7wnq2+HbU7S+lsr3BB8s+/OWm3f+6bBn12YfZxgk/nttef79vSlz7njgVLZEtWvcnUQ3+FUHCaATxq3UQzYQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.funnystory.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
Source: global traffic	HTTP traffic detected: GET /9ul0/?Zvupu44p=/8kciQFlGVV+s671hjTEMgvePijKoQKbVww8Emk+/ImbSDpFBlkIfEUbLp7Rr+tD2T8CwWTvaBp6p+1LgixmeUAbCHLl0Y/2eq8XbxFkjwUJTy71Wn7hwUVQgvRbUyIDUA==&RhqLA=IdOhgVq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.nartex-uf.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
Source: global traffic	HTTP traffic detected: GET /4mbo/?RhqLA=IdOhgVq&Zvupu44p=TaoaspSuXCWG+J6Qu2ekK1wrjY2r/s8nGO1Ev0B6QwWm63/Js3V07H2UbHrGJNHujJI3HhKgRchyd4beF5Q/e8GQOUHjh0/XAeWf+xbcrSf/780Hk7JHgoJ90GAMQodVPQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.aktmarket.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
Source: global traffic	HTTP traffic detected: GET /5cnx/?Zvupu44p=oUaJUx3W91XKGFwkbiDYgYplg4TZBQwbgtCkXvgonjE8SHvx+U3TNstQnLVJ8Y9FFWXzakAfwSz/u1Ky3cg6+EUlRRQZaMEAQAdSQfgWtonXK7S514myqW5G+fyl7DTuYQ==&RhqLA=IdOhgVq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.a1shop.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)

Source: global traffic	DNS traffic detected: DNS query: www.funnystory.online
Source: global traffic	DNS traffic detected: DNS query: www.nartex-uf.online
Source: global traffic	DNS traffic detected: DNS query: www.aktmarket.xyz
Source: global traffic	DNS traffic detected: DNS query: www.a1shop.shop
Source: global traffic	DNS traffic detected: DNS query: www.cssa.auction

Source: unknown

HTTP traffic detected: POST /9ul0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Host: www.nartex-uf.onlineOrigin: http://www.nartex-uf.onlineReferer: http://www.nartex-uf.online/9ul0/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 209Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)Data Raw: 5a 76 75 70 75 34 34 70 3d 79 2b 4d 38 68 6c 52 67 59 6e 6c 63 79 36 4f 63 6a 6a 54 68 4e 46 66 53 4c 6a 2f 79 70 51 33 33 52 7a 68 65 4f 42 45 65 77 61 72 61 41 43 64 41 55 31 52 42 65 56 49 6b 56 5a 6a 65 73 4f 35 32 37 68 6b 4e 72 77 6a 7a 65 6c 68 72 6e 75 30 38 67 43 6b 4e 63 79 63 45 4b 53 47 66 31 4c 44 2f 41 35 55 43 5a 58 6b 47 31 53 6f 4a 4d 53 33 61 57 45 4f 47 73 6b 78 6f 76 61 56 71 59 44 74 33 57 42 44 77 6b 65 4c 48 35 6c 43 30 43 31 6b 66 67 41 33 43 77 2b 4f 50 72 47 47 45 70 54 4f 74 75 49 4d 67 6a 5a 38 6a 51 30 64 41 76 42 72 45 6a 5a 2b 6e 39 47 74 71 49 2f 55 34 75 75 56 4d 61 4f 64 70 6f 72 67 3d Data Ascii: Zvupu44p=y+M8hlRgYnlcy6OcjjThNFfSLj/ypQ33RzheOBEewaraACdAU1RBeVIkVZjesO527hkNrwjzelhrnu08gCkNcycEKSGf1LD/A5UCZXkG1SoJMS3aWEOGskxovaVqYDt3WBDwkeLH5lC0C1kfgA3Cw+OPrGGEpTOtuIMgjZ8jQ0dAvBrEjZ+n9GtqI/U4uuVMaOdporg=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:55:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 ad f0 c6 0f ee 6d b3 b3 32 e7 96 a1 77 0d db ee be 3d fb e6 e4 9b cf fd ef e4 9b 7f 7c d5 e9 20 1d 9d 99 ef 77 f8 33 c7 9d 9b 57 2b 77 be b1 4d ff 0c 6e 0d 6c d7 98 9b de 19 61 1f ff 9b 7f 7e 3e b3 5d c7 9c ff 15 0a bc 37 83 81 c6 6f 7c f3 42 bc 3c c9 55 5d 83 10 a4 aa fb de 2c 06 91 2f 0a ff e2 72 73 cb 0f ce 66 bf f9 b4 d8 b5 b9 3a bb b6 dd d9 07 9f 8f 04 f0 ec 1a 84 ef 26 fa e2 b1 6e 07 e9 00 2a fe f1 dc cc 6c fd 77 f6 15 4f e9 7a 00 3e ac 6d e3 7e b2 b0 cd 8f 53 fc 18 cc 2d cf 9c 05 96 eb 4c 66 ae bd 59 39 53 32 0c 26 a2 20 7c 3d 5d 59 0e 1d 15 13 59 12 d6 1f a7 4b d3 ba 59 06 f4 d9 da 98 cf 61 34 4e d4 e1 fa 63 47 e8 08 d3 95 e1 dd 58 ce 44 98 02 1c d7 9b fc 8b ac 29 f0 ff 74 01 43 65 22 4a 50 e8 47 18 33 1e f7 ad 07 a3 8b fb c1 b4 6f cd c0 9a 19 9d 9f cc 8d 99 fc e4 be f7 4c f3 bd e1 f8 9c 0f 1f 03 18 fc d6 62 7a 6d cc 3e dc 78 ee c6 99 4f fe 65 b1 58 4c 07 77 e6 f5 07 2b 18 04 c6 7a b0 84 16 d9 d8 aa 01 45 1b 78 50 6f 6d 78 30 3a b7 a8 75 26 8e 1b f4 f8 94 a6 e9 77 22 5e b8 a0 57 16 b6 7b 37 f8 38 59 5a f3 b9 e9 6c ff 40 86 61 a7 97 d0 2d 0a 92 b2 fe d8 7f 48 43 a8 01 b0 0d 1f 5d a1 ee bb 82 66 7c 00 16 3d 20 b8 84 75 b7 cb 6c 29 d3 f3 5c 8f 02 8c 78 2a ec 68 fa d5 ca 74 36 03 2c 8c 1d 07 cf e7 e6 9c 6b 5e 65 60 cc b0 4c 84 76 10 b8 6b 40 dd 8c 09 65 70 73 00 b7 0d 9b 20 a2 ac 1d a0 19 e5 e4 ed 92 8a 4c e9 d4 08 18 8f 35 68 d5 0e 26 c3 13 6b 71 3f b8 f6 dc 3b 10 dd ab 5b cb b7 ae ed 2c 4c 55 69 4c dc 8e 36 95 f2 83 b5 25 49 e7 b8 d7 96 6d 0e 22 99 be a2 12 cd 45 8f fd cd 35 b2 f8 ca 5d 9b a0 a5 63 d1 8f 04 7f 07 5f ae 16 ae 0b 83 7f 30 77 ef 9c 9d 82 5a de 90 1d b5 aa da 17 12 de 54 9c 76 81 6b 2c 9e a5 44 95 c0 e5 ad a4 db 23 65 4d a6 aa 6d 19 2f 1f 50 85 4f 44 d0 bf c6 26 70 a7 f9 5e 49 01 cb 56 cb 6a a4 af 9b 52 93 81 55 42 43
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:55:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 ad f0 c6 0f ee 6d b3 b3 32 e7 96 a1 77 0d db ee be 3d fb e6 e4 9b cf fd ef e4 9b 7f 7c d5 e9 20 1d 9d 99 ef 77 f8 33 c7 9d 9b 57 2b 77 be b1 4d ff 0c 6e 0d 6c d7 98 9b de 19 61 1f ff 9b 7f 7e 3e b3 5d c7 9c ff 15 0a bc 37 83 81 c6 6f 7c f3 42 bc 3c c9 55 5d 83 10 a4 aa fb de 2c 06 91 2f 0a ff e2 72 73 cb 0f ce 66 bf f9 b4 d8 b5 b9 3a bb b6 dd d9 07 9f 8f 04 f0 ec 1a 84 ef 26 fa e2 b1 6e 07 e9 00 2a fe f1 dc cc 6c fd 77 f6 15 4f e9 7a 00 3e ac 6d e3 7e b2 b0 cd 8f 53 fc 18 cc 2d cf 9c 05 96 eb 4c 66 ae bd 59 39 53 32 0c 26 a2 20 7c 3d 5d 59 0e 1d 15 13 59 12 d6 1f a7 4b d3 ba 59 06 f4 d9 da 98 cf 61 34 4e d4 e1 fa 63 47 e8 08 d3 95 e1 dd 58 ce 44 98 02 1c d7 9b fc 8b ac 29 f0 ff 74 01 43 65 22 4a 50 e8 47 18 33 1e f7 ad 07 a3 8b fb c1 b4 6f cd c0 9a 19 9d 9f cc 8d 99 fc e4 be f7 4c f3 bd e1 f8 9c 0f 1f 03 18 fc d6 62 7a 6d cc 3e dc 78 ee c6 99 4f fe 65 b1 58 4c 07 77 e6 f5 07 2b 18 04 c6 7a b0 84 16 d9 d8 aa 01 45 1b 78 50 6f 6d 78 30 3a b7 a8 75 26 8e 1b f4 f8 94 a6 e9 77 22 5e b8 a0 57 16 b6 7b 37 f8 38 59 5a f3 b9 e9 6c ff 40 86 61 a7 97 d0 2d 0a 92 b2 fe d8 7f 48 43 a8 01 b0 0d 1f 5d a1 ee bb 82 66 7c 00 16 3d 20 b8 84 75 b7 cb 6c 29 d3 f3 5c 8f 02 8c 78 2a ec 68 fa d5 ca 74 36 03 2c 8c 1d 07 cf e7 e6 9c 6b 5e 65 60 cc b0 4c 84 76 10 b8 6b 40 dd 8c 09 65 70 73 00 b7 0d 9b 20 a2 ac 1d a0 19 e5 e4 ed 92 8a 4c e9 d4 08 18 8f 35 68 d5 0e 26 c3 13 6b 71 3f b8 f6 dc 3b 10 dd ab 5b cb b7 ae ed 2c 4c 55 69 4c dc 8e 36 95 f2 83 b5 25 49 e7 b8 d7 96 6d 0e 22 99 be a2 12 cd 45 8f fd cd 35 b2 f8 ca 5d 9b a0 a5 63 d1 8f 04 7f 07 5f ae 16 ae 0b 83 7f 30 77 ef 9c 9d 82 5a de 90 1d b5 aa da 17 12 de 54 9c 76 81 6b 2c 9e a5 44 95 c0 e5 ad a4 db 23 65 4d a6 aa 6d 19 2f 1f 50 85 4f 44 d0 bf c6 26 70 a7 f9 5e 49 01 cb 56 cb 6a a4 af 9b 52 93 81 55 42 43
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:55:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 ad f0 c6 0f ee 6d b3 b3 32 e7 96 a1 77 0d db ee be 3d fb e6 e4 9b cf fd ef e4 9b 7f 7c d5 e9 20 1d 9d 99 ef 77 f8 33 c7 9d 9b 57 2b 77 be b1 4d ff 0c 6e 0d 6c d7 98 9b de 19 61 1f ff 9b 7f 7e 3e b3 5d c7 9c ff 15 0a bc 37 83 81 c6 6f 7c f3 42 bc 3c c9 55 5d 83 10 a4 aa fb de 2c 06 91 2f 0a ff e2 72 73 cb 0f ce 66 bf f9 b4 d8 b5 b9 3a bb b6 dd d9 07 9f 8f 04 f0 ec 1a 84 ef 26 fa e2 b1 6e 07 e9 00 2a fe f1 dc cc 6c fd 77 f6 15 4f e9 7a 00 3e ac 6d e3 7e b2 b0 cd 8f 53 fc 18 cc 2d cf 9c 05 96 eb 4c 66 ae bd 59 39 53 32 0c 26 a2 20 7c 3d 5d 59 0e 1d 15 13 59 12 d6 1f a7 4b d3 ba 59 06 f4 d9 da 98 cf 61 34 4e d4 e1 fa 63 47 e8 08 d3 95 e1 dd 58 ce 44 98 02 1c d7 9b fc 8b ac 29 f0 ff 74 01 43 65 22 4a 50 e8 47 18 33 1e f7 ad 07 a3 8b fb c1 b4 6f cd c0 9a 19 9d 9f cc 8d 99 fc e4 be f7 4c f3 bd e1 f8 9c 0f 1f 03 18 fc d6 62 7a 6d cc 3e dc 78 ee c6 99 4f fe 65 b1 58 4c 07 77 e6 f5 07 2b 18 04 c6 7a b0 84 16 d9 d8 aa 01 45 1b 78 50 6f 6d 78 30 3a b7 a8 75 26 8e 1b f4 f8 94 a6 e9 77 22 5e b8 a0 57 16 b6 7b 37 f8 38 59 5a f3 b9 e9 6c ff 40 86 61 a7 97 d0 2d 0a 92 b2 fe d8 7f 48 43 a8 01 b0 0d 1f 5d a1 ee bb 82 66 7c 00 16 3d 20 b8 84 75 b7 cb 6c 29 d3 f3 5c 8f 02 8c 78 2a ec 68 fa d5 ca 74 36 03 2c 8c 1d 07 cf e7 e6 9c 6b 5e 65 60 cc b0 4c 84 76 10 b8 6b 40 dd 8c 09 65 70 73 00 b7 0d 9b 20 a2 ac 1d a0 19 e5 e4 ed 92 8a 4c e9 d4 08 18 8f 35 68 d5 0e 26 c3 13 6b 71 3f b8 f6 dc 3b 10 dd ab 5b cb b7 ae ed 2c 4c 55 69 4c dc 8e 36 95 f2 83 b5 25 49 e7 b8 d7 96 6d 0e 22 99 be a2 12 cd 45 8f fd cd 35 b2 f8 ca 5d 9b a0 a5 63 d1 8f 04 7f 07 5f ae 16 ae 0b 83 7f 30 77 ef 9c 9d 82 5a de 90 1d b5 aa da 17 12 de 54 9c 76 81 6b 2c 9e a5 44 95 c0 e5 ad a4 db 23 65 4d a6 aa 6d 19 2f 1f 50 85 4f 44 d0 bf c6 26 70 a7 f9 5e 49 01 cb 56 cb 6a a4 af 9b 52 93 81 55 42 43
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:55:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 66 65 62 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 6e 65 6c 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 73 65 72 76 65 72 31 39 34 2e 68 6f 73 74 69 6e 67 2e 72 65 67 2e 72 75 2f 6d 61 6e 61 67 65 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 26 6e 62 73 70 3b d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 2f 2a 21 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 21 2a 5c 0a 20 20 21 2a 2a 2a 20 63 73 73 20 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 63 73 73 2d 6c 6f 61 64 65 72 2f 69 6e 64 65 78 2e 6a 73 3f 3f 63 6c 6f 6e 65 64 52 75 6c 65 53 65 74 2d 36 2e 75 73 65 5b 31 5d 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 70 6f 73 74 63 73 73 2d 6c 6f 61 64 65 72 2f 73 72 63 2f 69 6e 64 65 78 2e 6a 73 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 6c 65 73 73 2d 6c 6f 61 64 65 72 2f 64 69 73 74 2f 63 6a 73 2e 6a 73 21 2e 2f 62 65 6d 2f 62 6c 6f 63 6b 73 2e 61 64 61 70 74 69 76 65 2f 62 2d 70 61 67 65 2f 62 2d 70 61 67 65 2e 6c 65 73 73 20 2a 2a 2a 21 0a 20 20 5c 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2f 0a 2e 62 2d 70 61 67 65 7b 64 69 73 70 6c 61 79 3a

Source: icsunattend.exe, 00000006.00000002.3304456237.0000000004E94000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002AE4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2843915674.0000000033CC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://funnystory.online/2dyu/?RhqLA=IdOhgVq&Zvupu44p=bADo
Source: hnmibsTvfR.exe, 00000007.00000002.3303040517.00000000007DB000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.a1shop.shop
Source: hnmibsTvfR.exe, 00000007.00000002.3303040517.00000000007DB000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.a1shop.shop/5cnx/
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://2domains.ru
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Medium.woff)
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Medium.woff2)
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Regular.woff)
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Regular.woff2)
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-SemiBold.woff)
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-SemiBold.woff2)
Source: icsunattend.exe, 00000006.00000002.3302124025.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth.
Source: icsunattend.exe, 00000006.00000002.3302124025.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: icsunattend.exe, 00000006.00000002.3302124025.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: icsunattend.exe, 00000006.00000002.3302124025.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: icsunattend.exe, 00000006.00000002.3302124025.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: icsunattend.exe, 00000006.00000002.3302124025.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: icsunattend.exe, 00000006.00000002.3302124025.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: icsunattend.exe, 00000006.00000003.2733992852.0000000007550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru?target=_blank
Source: hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://server194.hosting.reg.ru/manager
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: icsunattend.exe, 00000006.00000003.2739041253.000000000757E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/ssl-certificate/?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/support/#request
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/support/hosting-i-servery/moy-sayt-ne-rabotaet/oshibka-404
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/vps/?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/vps/cloud/?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/geoip?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/myip?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/port-checker?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?utm_source=&utm_medium=expired&utm_campaign
Source: icsunattend.exe, 00000006.00000002.3304456237.0000000005026000.00000004.10000000.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3304107723.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/check_site?utm_source=&utm_medium=expired&utm_campaign

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E96B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00E96B0C

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E96D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00E96D07

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E96B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00E96B0C

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E82B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00E82B37

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00EAF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00EAF7FF

E-Banking Fraud

Source: Yara match	File source: 2.2.svchost.exe.2140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3303150675.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552287327.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552706561.0000000003400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552000811.0000000002140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3303269624.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3301917962.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3303084240.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: This is a third-party compiled AutoIt script.		0_2_00E43D19
Source: Fi#U015f.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Fi#U015f.exe, 00000000.00000000.2059012294.0000000000EEE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_e996595a-1
Source: Fi#U015f.exe, 00000000.00000000.2059012294.0000000000EEE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_21097b31-9
Source: Fi#U015f.exe	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_2c46adaa-c
Source: Fi#U015f.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_ffbb4c8f-3

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0216C8E3 NtClose,		2_2_0216C8E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72B60 NtClose,LdrInitializeThunk,		2_2_02D72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72C70 NtFreeVirtualMemory,LdrInitializeThunk,		2_2_02D72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72DF0 NtQuerySystemInformation,LdrInitializeThunk,		2_2_02D72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D735C0 NtCreateMutant,LdrInitializeThunk,		2_2_02D735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D74340 NtSetContextThread,		2_2_02D74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D74650 NtSuspendThread,		2_2_02D74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72AD0 NtReadFile,		2_2_02D72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72AF0 NtWriteFile,		2_2_02D72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72AB0 NtWaitForSingleObject,		2_2_02D72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72BF0 NtAllocateVirtualMemory,		2_2_02D72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72BE0 NtQueryValueKey,		2_2_02D72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72B80 NtQueryInformationFile,		2_2_02D72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72BA0 NtEnumerateValueKey,		2_2_02D72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72EE0 NtQueueApcThread,		2_2_02D72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72E80 NtReadVirtualMemory,		2_2_02D72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72EA0 NtAdjustPrivilegesToken,		2_2_02D72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72E30 NtWriteVirtualMemory,		2_2_02D72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72FE0 NtCreateFile,		2_2_02D72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72F90 NtProtectVirtualMemory,		2_2_02D72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72FB0 NtResumeThread,		2_2_02D72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72FA0 NtQuerySection,		2_2_02D72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72F60 NtCreateProcessEx,		2_2_02D72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72F30 NtCreateSection,		2_2_02D72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72CC0 NtQueryVirtualMemory,		2_2_02D72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72CF0 NtOpenProcess,		2_2_02D72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72CA0 NtQueryInformationToken,		2_2_02D72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72C60 NtCreateKey,		2_2_02D72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72C00 NtQueryInformationProcess,		2_2_02D72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72DD0 NtDelayExecution,		2_2_02D72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72DB0 NtEnumerateKey,		2_2_02D72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72D10 NtMapViewOfSection,		2_2_02D72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72D00 NtSetInformationFile,		2_2_02D72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72D30 NtUnmapViewOfSection,		2_2_02D72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D73090 NtSetValueKey,		2_2_02D73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D73010 NtOpenDirectoryObject,		2_2_02D73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D739B0 NtGetContextThread,		2_2_02D739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D73D70 NtOpenThread,		2_2_02D73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D73D10 NtOpenProcessToken,		2_2_02D73D10

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E86685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00E86685

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E7ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00E7ACC5

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E879D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00E879D3

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E6B043		0_2_00E6B043
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E53200		0_2_00E53200
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E53B70		0_2_00E53B70
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E7410F		0_2_00E7410F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E602A4		0_2_00E602A4
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E4E3B0		0_2_00E4E3B0
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E7038E		0_2_00E7038E
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E606D9		0_2_00E606D9
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E7467F		0_2_00E7467F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00EAAACE		0_2_00EAAACE
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E74BEF		0_2_00E74BEF
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E6CCC1		0_2_00E6CCC1
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E4AF50		0_2_00E4AF50
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E46F07		0_2_00E46F07
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00EA31BC		0_2_00EA31BC
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E6D1B9		0_2_00E6D1B9
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E5B11F		0_2_00E5B11F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E7724D		0_2_00E7724D
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E6123A		0_2_00E6123A
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E493F0		0_2_00E493F0
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E813CA		0_2_00E813CA
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E5F563		0_2_00E5F563
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E8B6CC		0_2_00E8B6CC
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E496C0		0_2_00E496C0
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00EAF7FF		0_2_00EAF7FF
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E477B0		0_2_00E477B0
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E779C9		0_2_00E779C9
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E5FA57		0_2_00E5FA57
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E49B60		0_2_00E49B60
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E47D19		0_2_00E47D19
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E69ED0		0_2_00E69ED0
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E5FE6F		0_2_00E5FE6F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E47FA3		0_2_00E47FA3
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00BC4A20		0_2_00BC4A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02158793		2_2_02158793
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02142AD0		2_2_02142AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0214E2D8		2_2_0214E2D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0214E2E3		2_2_0214E2E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02156995		2_2_02156995
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02156993		2_2_02156993
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0214E193		2_2_0214E193
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_021501B3		2_2_021501B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_021411F0		2_2_021411F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_021426B0		2_2_021426B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0216EF43		2_2_0216EF43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0214FF93		2_2_0214FF93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0214FF8C		2_2_0214FF8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02142FE0		2_2_02142FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC02C0		2_2_02DC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E003E6		2_2_02E003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E3F0		2_2_02D4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFA352		2_2_02DFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF81CC		2_2_02DF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E001AA		2_2_02E001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC8158		2_2_02DC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDA118		2_2_02DDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30100		2_2_02D30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5C6E0		2_2_02D5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3C7C0		2_2_02D3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D64750		2_2_02D64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEE4F6		2_2_02DEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF2446		2_2_02DF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE4420		2_2_02DE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E00591		2_2_02E00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40535		2_2_02D40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF6BD7		2_2_02DF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFAB40		2_2_02DFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E8F0		2_2_02D6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D268B8		2_2_02D268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4A840		2_2_02D4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D42840		2_2_02D42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E0A9A6		2_2_02E0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D56962		2_2_02D56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFEEDB		2_2_02DFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D52E90		2_2_02D52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFCE93		2_2_02DFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40E59		2_2_02D40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFEE26		2_2_02DFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D32FC8		2_2_02D32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4CFE0		2_2_02D4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBEFA0		2_2_02DBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB4F40		2_2_02DB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D60F30		2_2_02D60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE2F30		2_2_02DE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D82F28		2_2_02D82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30CF2		2_2_02D30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0CB5		2_2_02DE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40C00		2_2_02D40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3ADE0		2_2_02D3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D58DBF		2_2_02D58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDCD1F		2_2_02DDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4AD00		2_2_02D4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5B2C0		2_2_02D5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE12ED		2_2_02DE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D452A0		2_2_02D452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D8739A		2_2_02D8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2D34C		2_2_02D2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF132D		2_2_02DF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEF0CC		2_2_02DEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D470C0		2_2_02D470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF70E9		2_2_02DF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFF0E0		2_2_02DFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4B1B0		2_2_02D4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E0B16B		2_2_02E0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2F172		2_2_02D2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D7516C		2_2_02D7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF16CC		2_2_02DF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFF7B0		2_2_02DFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D31460		2_2_02D31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFF43F		2_2_02DFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDD5B0		2_2_02DDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF7571		2_2_02DF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEDAC6		2_2_02DEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDDAAC		2_2_02DDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D85AA0		2_2_02D85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE1AA3		2_2_02DE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFFA49		2_2_02DFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF7A46		2_2_02DF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB3A6C		2_2_02DB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB5BF0		2_2_02DB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D7DBF9		2_2_02D7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5FB80		2_2_02D5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFFB76		2_2_02DFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D438E0		2_2_02D438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAD800		2_2_02DAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D49950		2_2_02D49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5B950		2_2_02D5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD5910		2_2_02DD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D49EB0		2_2_02D49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D41F92		2_2_02D41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFFFB1		2_2_02DFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFFF09		2_2_02DFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFFCF2		2_2_02DFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB9C32		2_2_02DB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5FDC0		2_2_02D5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF1D5A		2_2_02DF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D43D40		2_2_02D43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF7D73		2_2_02DF7D73
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4381A		4_2_02D4381A
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4194A		4_2_02D4194A
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4193F		4_2_02D4193F
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D49FFC		4_2_02D49FFC
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D49FFA		4_2_02D49FFA
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D417BE		4_2_02D417BE
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4BDF5		4_2_02D4BDF5
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D435F3		4_2_02D435F3
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D435FA		4_2_02D435FA
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D625AA		4_2_02D625AA

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: String function: 00E5EC2F appears 68 times
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: String function: 00E66AC0 appears 42 times
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: String function: 00E6F8A0 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02D75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02DBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02DAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02D2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02D87E54 appears 102 times

Source: Fi#U015f.exe, 00000000.00000003.2079288125.0000000003543000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Fi#U015f.exe
Source: Fi#U015f.exe, 00000000.00000003.2079014660.00000000036ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Fi#U015f.exe

Source: Fi#U015f.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@8/3

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E8CE7A GetLastError,FormatMessageW,

0_2_00E8CE7A

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E7AB84 AdjustTokenPrivileges,CloseHandle,		0_2_00E7AB84
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E7B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00E7B134

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E8E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00E8E1FD

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E86532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00E86532

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E9C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00E9C18C

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E4406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E4406B

Source: C:\Users\user\Desktop\Fi#U015f.exe

File created: C:\Users\user\AppData\Local\Temp\aut1A69.tmp

Jump to behavior

Source: Fi#U015f.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Fi#U015f.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: icsunattend.exe, 00000006.00000002.3302124025.0000000000712000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2734898666.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2737463825.000000000071B000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2734998514.0000000000712000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3302124025.000000000073E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Fi#U015f.exe

ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\Fi#U015f.exe "C:\Users\user\Desktop\Fi#U015f.exe"
Source: C:\Users\user\Desktop\Fi#U015f.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Fi#U015f.exe"
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Process created: C:\Windows\SysWOW64\icsunattend.exe "C:\Windows\SysWOW64\icsunattend.exe"
Source: C:\Windows\SysWOW64\icsunattend.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Fi#U015f.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Fi#U015f.exe"			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Process created: C:\Windows\SysWOW64\icsunattend.exe "C:\Windows\SysWOW64\icsunattend.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: mlang.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: winsqlite3.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Section loaded: rasadhlp.dll			Jump to behavior

Source: C:\Windows\SysWOW64\icsunattend.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\icsunattend.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Fi#U015f.exe

Static file information: File size 1209344 > 1048576

Source: Fi#U015f.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Fi#U015f.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Fi#U015f.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Fi#U015f.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Fi#U015f.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Fi#U015f.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Fi#U015f.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hnmibsTvfR.exe, 00000004.00000000.2476250910.000000000075E000.00000002.00000001.01000000.00000005.sdmp, hnmibsTvfR.exe, 00000007.00000000.2625552123.000000000075E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Fi#U015f.exe, 00000000.00000003.2080229559.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, Fi#U015f.exe, 00000000.00000003.2080827454.0000000003470000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2460035466.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2458092933.0000000002900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552321823.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552321823.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2554333146.00000000042D6000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3303600933.000000000461E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2552233652.0000000004120000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3303600933.0000000004480000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Fi#U015f.exe, 00000000.00000003.2080229559.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, Fi#U015f.exe, 00000000.00000003.2080827454.0000000003470000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2460035466.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2458092933.0000000002900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552321823.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552321823.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2554333146.00000000042D6000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3303600933.000000000461E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000003.2552233652.0000000004120000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3303600933.0000000004480000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: icsunattend.pdbGCTL source: svchost.exe, 00000002.00000002.2552129774.0000000002619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552114339.0000000002600000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000004.00000002.3302819959.0000000000E68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsunattend.pdb source: svchost.exe, 00000002.00000002.2552129774.0000000002619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2552114339.0000000002600000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000004.00000002.3302819959.0000000000E68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: icsunattend.exe, 00000006.00000002.3304456237.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3302124025.0000000000696000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000000.2625798931.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2843915674.00000000338DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: icsunattend.exe, 00000006.00000002.3304456237.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, icsunattend.exe, 00000006.00000002.3302124025.0000000000696000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000000.2625798931.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2843915674.00000000338DC000.00000004.80000000.00040000.00000000.sdmp

Source: Fi#U015f.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Fi#U015f.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Fi#U015f.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Fi#U015f.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Fi#U015f.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E5E01E LoadLibraryA,GetProcAddress,

0_2_00E5E01E

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E66B05 push ecx; ret		0_2_00E66B18
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00BC4FB8 push eax; retf		0_2_00BC4FD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02158267 push ds; retf		2_2_02158282
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02143290 push eax; ret		2_2_02143292
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_021542D0 push ds; ret		2_2_021542D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02145B87 push es; iretd		2_2_02145B88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02154BEB push FFFFFFB6h; ret		2_2_02154BED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0214D8AE push ss; ret		2_2_0214D8AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0215719B push ds; iretd		2_2_0215719C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02142184 push ds; ret		2_2_021421DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_021566D3 push ebp; iretd		2_2_02156798
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_021566FD push ebp; iretd		2_2_02156798
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02153C24 push edi; retf		2_2_02153C2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02164C23 push ds; ret		2_2_02164CC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0216DCC3 push ss; retf		2_2_0216DCF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02166D03 push edi; ret		2_2_02166D0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_021585D5 push edi; iretd		2_2_021585E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D309AD push ecx; mov dword ptr [esp], ecx		2_2_02D309B6
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D5828A push ds; ret		4_2_02D5832D
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4728B push edi; retf		4_2_02D47293
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D48252 push FFFFFFB6h; ret		4_2_02D48254
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4E0DC push edx; retf		4_2_02D4E10B
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4B8CE push ds; retf		4_2_02D4B8E9
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4E0A8 push edx; retf		4_2_02D4E10B
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4A802 push ds; iretd		4_2_02D4A803
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D391EE push es; iretd		4_2_02D391EF
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D40F15 push ss; ret		4_2_02D40F16
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D4BC3C push edi; iretd		4_2_02D4BC4B
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D49D64 push ebp; iretd		4_2_02D49DFF
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Code function: 4_2_02D49D3A push ebp; iretd		4_2_02D49DFF

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00EA8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00EA8111
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E5EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E5EB42

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E6123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E6123A

Source: C:\Users\user\Desktop\Fi#U015f.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Fi#U015f.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Fi#U015f.exe	API/Special instruction interceptor: Address: BC4644
Source: C:\Windows\SysWOW64\icsunattend.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\icsunattend.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\icsunattend.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\icsunattend.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\icsunattend.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\icsunattend.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\icsunattend.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\icsunattend.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: Fi#U015f.exe, 00000000.00000002.2086447571.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, Fi#U015f.exe, 00000000.00000003.2060053878.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, Fi#U015f.exe, 00000000.00000003.2060184065.0000000000B05000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCESSHACKER.EXEOR<

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02D7096E rdtsc

2_2_02D7096E

Source: C:\Windows\SysWOW64\icsunattend.exe	Window / User API: threadDelayed 4207			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Window / User API: threadDelayed 5765			Jump to behavior

Source: C:\Users\user\Desktop\Fi#U015f.exe

Evaded block: after key decision

Source: C:\Users\user\Desktop\Fi#U015f.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\Fi#U015f.exe	API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\icsunattend.exe TID: 4580	Thread sleep count: 4207 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe TID: 4580	Thread sleep time: -8414000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe TID: 4580	Thread sleep count: 5765 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe TID: 4580	Thread sleep time: -11530000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe TID: 1788	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\icsunattend.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\icsunattend.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E86CA9 GetFileAttributesW,FindFirstFileW,FindClose,		0_2_00E86CA9
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,		0_2_00E860DD
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,		0_2_00E863F9
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E8EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,		0_2_00E8EB60
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E8F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,		0_2_00E8F5FA
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E8F56F FindFirstFileW,FindClose,		0_2_00E8F56F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E91B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_00E91B2F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E91C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_00E91C8A
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E91F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,		0_2_00E91F94

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E5DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E5DDC0

Source: 2780E4D.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 2780E4D.6.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 2780E4D.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 2780E4D.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: firefox.exe, 00000008.00000002.2845353517.000002713378C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYYe
Source: 2780E4D.6.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 2780E4D.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 2780E4D.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 2780E4D.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 2780E4D.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 2780E4D.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 2780E4D.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 2780E4D.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 2780E4D.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 2780E4D.6.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 2780E4D.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: icsunattend.exe, 00000006.00000002.3302124025.0000000000696000.00000004.00000020.00020000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3303465760.0000000000949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2780E4D.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 2780E4D.6.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 2780E4D.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 2780E4D.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 2780E4D.6.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 2780E4D.6.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 2780E4D.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 2780E4D.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 2780E4D.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 2780E4D.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 2780E4D.6.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 2780E4D.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 2780E4D.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 2780E4D.6.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 2780E4D.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 2780E4D.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\Fi#U015f.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Fi#U015f.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02D7096E rdtsc

2_2_02D7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02157923 LdrLoadDll,

2_2_02157923

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E96AAF BlockInput,

0_2_00E96AAF

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E43D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E43D19

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E73920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00E73920

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E5E01E LoadLibraryA,GetProcAddress,

0_2_00E5E01E

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00BC3270 mov eax, dword ptr fs:[00000030h]		0_2_00BC3270
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00BC48B0 mov eax, dword ptr fs:[00000030h]		0_2_00BC48B0
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00BC4910 mov eax, dword ptr fs:[00000030h]		0_2_00BC4910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]		2_2_02D3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]		2_2_02D3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]		2_2_02D3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]		2_2_02D3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A2C3 mov eax, dword ptr fs:[00000030h]		2_2_02D3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D402E1 mov eax, dword ptr fs:[00000030h]		2_2_02D402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D402E1 mov eax, dword ptr fs:[00000030h]		2_2_02D402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D402E1 mov eax, dword ptr fs:[00000030h]		2_2_02D402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E284 mov eax, dword ptr fs:[00000030h]		2_2_02D6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E284 mov eax, dword ptr fs:[00000030h]		2_2_02D6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB0283 mov eax, dword ptr fs:[00000030h]		2_2_02DB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB0283 mov eax, dword ptr fs:[00000030h]		2_2_02DB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB0283 mov eax, dword ptr fs:[00000030h]		2_2_02DB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D402A0 mov eax, dword ptr fs:[00000030h]		2_2_02D402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D402A0 mov eax, dword ptr fs:[00000030h]		2_2_02D402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]		2_2_02DC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC62A0 mov ecx, dword ptr fs:[00000030h]		2_2_02DC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]		2_2_02DC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]		2_2_02DC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]		2_2_02DC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC62A0 mov eax, dword ptr fs:[00000030h]		2_2_02DC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2A250 mov eax, dword ptr fs:[00000030h]		2_2_02D2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36259 mov eax, dword ptr fs:[00000030h]		2_2_02D36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEA250 mov eax, dword ptr fs:[00000030h]		2_2_02DEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEA250 mov eax, dword ptr fs:[00000030h]		2_2_02DEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB8243 mov eax, dword ptr fs:[00000030h]		2_2_02DB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB8243 mov ecx, dword ptr fs:[00000030h]		2_2_02DB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE0274 mov eax, dword ptr fs:[00000030h]		2_2_02DE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D34260 mov eax, dword ptr fs:[00000030h]		2_2_02D34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D34260 mov eax, dword ptr fs:[00000030h]		2_2_02D34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D34260 mov eax, dword ptr fs:[00000030h]		2_2_02D34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2826B mov eax, dword ptr fs:[00000030h]		2_2_02D2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2823B mov eax, dword ptr fs:[00000030h]		2_2_02D2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE3DB mov eax, dword ptr fs:[00000030h]		2_2_02DDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE3DB mov eax, dword ptr fs:[00000030h]		2_2_02DDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE3DB mov ecx, dword ptr fs:[00000030h]		2_2_02DDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE3DB mov eax, dword ptr fs:[00000030h]		2_2_02DDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD43D4 mov eax, dword ptr fs:[00000030h]		2_2_02DD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD43D4 mov eax, dword ptr fs:[00000030h]		2_2_02DD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEC3CD mov eax, dword ptr fs:[00000030h]		2_2_02DEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A3C0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D383C0 mov eax, dword ptr fs:[00000030h]		2_2_02D383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D383C0 mov eax, dword ptr fs:[00000030h]		2_2_02D383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D383C0 mov eax, dword ptr fs:[00000030h]		2_2_02D383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D383C0 mov eax, dword ptr fs:[00000030h]		2_2_02D383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB63C0 mov eax, dword ptr fs:[00000030h]		2_2_02DB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E3F0 mov eax, dword ptr fs:[00000030h]		2_2_02D4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E3F0 mov eax, dword ptr fs:[00000030h]		2_2_02D4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E3F0 mov eax, dword ptr fs:[00000030h]		2_2_02D4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D663FF mov eax, dword ptr fs:[00000030h]		2_2_02D663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]		2_2_02D403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]		2_2_02D403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]		2_2_02D403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]		2_2_02D403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]		2_2_02D403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]		2_2_02D403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]		2_2_02D403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D403E9 mov eax, dword ptr fs:[00000030h]		2_2_02D403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D28397 mov eax, dword ptr fs:[00000030h]		2_2_02D28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D28397 mov eax, dword ptr fs:[00000030h]		2_2_02D28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D28397 mov eax, dword ptr fs:[00000030h]		2_2_02D28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2E388 mov eax, dword ptr fs:[00000030h]		2_2_02D2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2E388 mov eax, dword ptr fs:[00000030h]		2_2_02D2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2E388 mov eax, dword ptr fs:[00000030h]		2_2_02D2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5438F mov eax, dword ptr fs:[00000030h]		2_2_02D5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5438F mov eax, dword ptr fs:[00000030h]		2_2_02D5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]		2_2_02DB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]		2_2_02DB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]		2_2_02DB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB035C mov ecx, dword ptr fs:[00000030h]		2_2_02DB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]		2_2_02DB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB035C mov eax, dword ptr fs:[00000030h]		2_2_02DB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFA352 mov eax, dword ptr fs:[00000030h]		2_2_02DFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD8350 mov ecx, dword ptr fs:[00000030h]		2_2_02DD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB2349 mov eax, dword ptr fs:[00000030h]		2_2_02DB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD437C mov eax, dword ptr fs:[00000030h]		2_2_02DD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2C310 mov ecx, dword ptr fs:[00000030h]		2_2_02D2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D50310 mov ecx, dword ptr fs:[00000030h]		2_2_02D50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A30B mov eax, dword ptr fs:[00000030h]		2_2_02D6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A30B mov eax, dword ptr fs:[00000030h]		2_2_02D6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A30B mov eax, dword ptr fs:[00000030h]		2_2_02D6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB20DE mov eax, dword ptr fs:[00000030h]		2_2_02DB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2C0F0 mov eax, dword ptr fs:[00000030h]		2_2_02D2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D720F0 mov ecx, dword ptr fs:[00000030h]		2_2_02D720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2A0E3 mov ecx, dword ptr fs:[00000030h]		2_2_02D2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D380E9 mov eax, dword ptr fs:[00000030h]		2_2_02D380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB60E0 mov eax, dword ptr fs:[00000030h]		2_2_02DB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3208A mov eax, dword ptr fs:[00000030h]		2_2_02D3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF60B8 mov eax, dword ptr fs:[00000030h]		2_2_02DF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF60B8 mov ecx, dword ptr fs:[00000030h]		2_2_02DF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC80A8 mov eax, dword ptr fs:[00000030h]		2_2_02DC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D32050 mov eax, dword ptr fs:[00000030h]		2_2_02D32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB6050 mov eax, dword ptr fs:[00000030h]		2_2_02DB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5C073 mov eax, dword ptr fs:[00000030h]		2_2_02D5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E016 mov eax, dword ptr fs:[00000030h]		2_2_02D4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E016 mov eax, dword ptr fs:[00000030h]		2_2_02D4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E016 mov eax, dword ptr fs:[00000030h]		2_2_02D4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E016 mov eax, dword ptr fs:[00000030h]		2_2_02D4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB4000 mov ecx, dword ptr fs:[00000030h]		2_2_02DB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD2000 mov eax, dword ptr fs:[00000030h]		2_2_02DD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC6030 mov eax, dword ptr fs:[00000030h]		2_2_02DC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2A020 mov eax, dword ptr fs:[00000030h]		2_2_02D2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2C020 mov eax, dword ptr fs:[00000030h]		2_2_02D2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E061E5 mov eax, dword ptr fs:[00000030h]		2_2_02E061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE1D0 mov eax, dword ptr fs:[00000030h]		2_2_02DAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE1D0 mov eax, dword ptr fs:[00000030h]		2_2_02DAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE1D0 mov ecx, dword ptr fs:[00000030h]		2_2_02DAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE1D0 mov eax, dword ptr fs:[00000030h]		2_2_02DAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE1D0 mov eax, dword ptr fs:[00000030h]		2_2_02DAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF61C3 mov eax, dword ptr fs:[00000030h]		2_2_02DF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF61C3 mov eax, dword ptr fs:[00000030h]		2_2_02DF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D601F8 mov eax, dword ptr fs:[00000030h]		2_2_02D601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB019F mov eax, dword ptr fs:[00000030h]		2_2_02DB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB019F mov eax, dword ptr fs:[00000030h]		2_2_02DB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB019F mov eax, dword ptr fs:[00000030h]		2_2_02DB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB019F mov eax, dword ptr fs:[00000030h]		2_2_02DB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2A197 mov eax, dword ptr fs:[00000030h]		2_2_02D2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2A197 mov eax, dword ptr fs:[00000030h]		2_2_02D2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2A197 mov eax, dword ptr fs:[00000030h]		2_2_02D2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D70185 mov eax, dword ptr fs:[00000030h]		2_2_02D70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEC188 mov eax, dword ptr fs:[00000030h]		2_2_02DEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEC188 mov eax, dword ptr fs:[00000030h]		2_2_02DEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD4180 mov eax, dword ptr fs:[00000030h]		2_2_02DD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD4180 mov eax, dword ptr fs:[00000030h]		2_2_02DD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2C156 mov eax, dword ptr fs:[00000030h]		2_2_02D2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC8158 mov eax, dword ptr fs:[00000030h]		2_2_02DC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36154 mov eax, dword ptr fs:[00000030h]		2_2_02D36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36154 mov eax, dword ptr fs:[00000030h]		2_2_02D36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC4144 mov eax, dword ptr fs:[00000030h]		2_2_02DC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC4144 mov eax, dword ptr fs:[00000030h]		2_2_02DC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC4144 mov ecx, dword ptr fs:[00000030h]		2_2_02DC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC4144 mov eax, dword ptr fs:[00000030h]		2_2_02DC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC4144 mov eax, dword ptr fs:[00000030h]		2_2_02DC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDA118 mov ecx, dword ptr fs:[00000030h]		2_2_02DDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDA118 mov eax, dword ptr fs:[00000030h]		2_2_02DDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDA118 mov eax, dword ptr fs:[00000030h]		2_2_02DDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDA118 mov eax, dword ptr fs:[00000030h]		2_2_02DDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF0115 mov eax, dword ptr fs:[00000030h]		2_2_02DF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov ecx, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov ecx, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov ecx, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov eax, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDE10E mov ecx, dword ptr fs:[00000030h]		2_2_02DDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D60124 mov eax, dword ptr fs:[00000030h]		2_2_02D60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A6C7 mov ebx, dword ptr fs:[00000030h]		2_2_02D6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A6C7 mov eax, dword ptr fs:[00000030h]		2_2_02D6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE6F2 mov eax, dword ptr fs:[00000030h]		2_2_02DAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE6F2 mov eax, dword ptr fs:[00000030h]		2_2_02DAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE6F2 mov eax, dword ptr fs:[00000030h]		2_2_02DAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE6F2 mov eax, dword ptr fs:[00000030h]		2_2_02DAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB06F1 mov eax, dword ptr fs:[00000030h]		2_2_02DB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB06F1 mov eax, dword ptr fs:[00000030h]		2_2_02DB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D34690 mov eax, dword ptr fs:[00000030h]		2_2_02D34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D34690 mov eax, dword ptr fs:[00000030h]		2_2_02D34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D666B0 mov eax, dword ptr fs:[00000030h]		2_2_02D666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6C6A6 mov eax, dword ptr fs:[00000030h]		2_2_02D6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4C640 mov eax, dword ptr fs:[00000030h]		2_2_02D4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D62674 mov eax, dword ptr fs:[00000030h]		2_2_02D62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF866E mov eax, dword ptr fs:[00000030h]		2_2_02DF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF866E mov eax, dword ptr fs:[00000030h]		2_2_02DF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A660 mov eax, dword ptr fs:[00000030h]		2_2_02D6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A660 mov eax, dword ptr fs:[00000030h]		2_2_02D6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72619 mov eax, dword ptr fs:[00000030h]		2_2_02D72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE609 mov eax, dword ptr fs:[00000030h]		2_2_02DAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]		2_2_02D4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]		2_2_02D4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]		2_2_02D4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]		2_2_02D4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]		2_2_02D4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]		2_2_02D4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4260B mov eax, dword ptr fs:[00000030h]		2_2_02D4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D4E627 mov eax, dword ptr fs:[00000030h]		2_2_02D4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D66620 mov eax, dword ptr fs:[00000030h]		2_2_02D66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D68620 mov eax, dword ptr fs:[00000030h]		2_2_02D68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3262C mov eax, dword ptr fs:[00000030h]		2_2_02D3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3C7C0 mov eax, dword ptr fs:[00000030h]		2_2_02D3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB07C3 mov eax, dword ptr fs:[00000030h]		2_2_02DB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D347FB mov eax, dword ptr fs:[00000030h]		2_2_02D347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D347FB mov eax, dword ptr fs:[00000030h]		2_2_02D347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D527ED mov eax, dword ptr fs:[00000030h]		2_2_02D527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D527ED mov eax, dword ptr fs:[00000030h]		2_2_02D527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D527ED mov eax, dword ptr fs:[00000030h]		2_2_02D527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBE7E1 mov eax, dword ptr fs:[00000030h]		2_2_02DBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD678E mov eax, dword ptr fs:[00000030h]		2_2_02DD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D307AF mov eax, dword ptr fs:[00000030h]		2_2_02D307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE47A0 mov eax, dword ptr fs:[00000030h]		2_2_02DE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30750 mov eax, dword ptr fs:[00000030h]		2_2_02D30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBE75D mov eax, dword ptr fs:[00000030h]		2_2_02DBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72750 mov eax, dword ptr fs:[00000030h]		2_2_02D72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D72750 mov eax, dword ptr fs:[00000030h]		2_2_02D72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB4755 mov eax, dword ptr fs:[00000030h]		2_2_02DB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6674D mov esi, dword ptr fs:[00000030h]		2_2_02D6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6674D mov eax, dword ptr fs:[00000030h]		2_2_02D6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6674D mov eax, dword ptr fs:[00000030h]		2_2_02D6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D38770 mov eax, dword ptr fs:[00000030h]		2_2_02D38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40770 mov eax, dword ptr fs:[00000030h]		2_2_02D40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30710 mov eax, dword ptr fs:[00000030h]		2_2_02D30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D60710 mov eax, dword ptr fs:[00000030h]		2_2_02D60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6C700 mov eax, dword ptr fs:[00000030h]		2_2_02D6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6273C mov eax, dword ptr fs:[00000030h]		2_2_02D6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6273C mov ecx, dword ptr fs:[00000030h]		2_2_02D6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6273C mov eax, dword ptr fs:[00000030h]		2_2_02D6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAC730 mov eax, dword ptr fs:[00000030h]		2_2_02DAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6C720 mov eax, dword ptr fs:[00000030h]		2_2_02D6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6C720 mov eax, dword ptr fs:[00000030h]		2_2_02D6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D304E5 mov ecx, dword ptr fs:[00000030h]		2_2_02D304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEA49A mov eax, dword ptr fs:[00000030h]		2_2_02DEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D644B0 mov ecx, dword ptr fs:[00000030h]		2_2_02D644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBA4B0 mov eax, dword ptr fs:[00000030h]		2_2_02DBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D364AB mov eax, dword ptr fs:[00000030h]		2_2_02D364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DEA456 mov eax, dword ptr fs:[00000030h]		2_2_02DEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2645D mov eax, dword ptr fs:[00000030h]		2_2_02D2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5245A mov eax, dword ptr fs:[00000030h]		2_2_02D5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]		2_2_02D6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]		2_2_02D6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]		2_2_02D6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]		2_2_02D6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]		2_2_02D6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]		2_2_02D6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]		2_2_02D6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E443 mov eax, dword ptr fs:[00000030h]		2_2_02D6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5A470 mov eax, dword ptr fs:[00000030h]		2_2_02D5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5A470 mov eax, dword ptr fs:[00000030h]		2_2_02D5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5A470 mov eax, dword ptr fs:[00000030h]		2_2_02D5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBC460 mov ecx, dword ptr fs:[00000030h]		2_2_02DBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D68402 mov eax, dword ptr fs:[00000030h]		2_2_02D68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D68402 mov eax, dword ptr fs:[00000030h]		2_2_02D68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D68402 mov eax, dword ptr fs:[00000030h]		2_2_02D68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A430 mov eax, dword ptr fs:[00000030h]		2_2_02D6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2E420 mov eax, dword ptr fs:[00000030h]		2_2_02D2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2E420 mov eax, dword ptr fs:[00000030h]		2_2_02D2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2E420 mov eax, dword ptr fs:[00000030h]		2_2_02D2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2C427 mov eax, dword ptr fs:[00000030h]		2_2_02D2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]		2_2_02DB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]		2_2_02DB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]		2_2_02DB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]		2_2_02DB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]		2_2_02DB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]		2_2_02DB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB6420 mov eax, dword ptr fs:[00000030h]		2_2_02DB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D365D0 mov eax, dword ptr fs:[00000030h]		2_2_02D365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A5D0 mov eax, dword ptr fs:[00000030h]		2_2_02D6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A5D0 mov eax, dword ptr fs:[00000030h]		2_2_02D6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E5CF mov eax, dword ptr fs:[00000030h]		2_2_02D6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E5CF mov eax, dword ptr fs:[00000030h]		2_2_02D6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]		2_2_02D5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]		2_2_02D5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]		2_2_02D5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]		2_2_02D5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]		2_2_02D5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]		2_2_02D5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]		2_2_02D5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E5E7 mov eax, dword ptr fs:[00000030h]		2_2_02D5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D325E0 mov eax, dword ptr fs:[00000030h]		2_2_02D325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6C5ED mov eax, dword ptr fs:[00000030h]		2_2_02D6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6C5ED mov eax, dword ptr fs:[00000030h]		2_2_02D6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6E59C mov eax, dword ptr fs:[00000030h]		2_2_02D6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D32582 mov eax, dword ptr fs:[00000030h]		2_2_02D32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D32582 mov ecx, dword ptr fs:[00000030h]		2_2_02D32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D64588 mov eax, dword ptr fs:[00000030h]		2_2_02D64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D545B1 mov eax, dword ptr fs:[00000030h]		2_2_02D545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D545B1 mov eax, dword ptr fs:[00000030h]		2_2_02D545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB05A7 mov eax, dword ptr fs:[00000030h]		2_2_02DB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB05A7 mov eax, dword ptr fs:[00000030h]		2_2_02DB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB05A7 mov eax, dword ptr fs:[00000030h]		2_2_02DB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D38550 mov eax, dword ptr fs:[00000030h]		2_2_02D38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D38550 mov eax, dword ptr fs:[00000030h]		2_2_02D38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6656A mov eax, dword ptr fs:[00000030h]		2_2_02D6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6656A mov eax, dword ptr fs:[00000030h]		2_2_02D6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6656A mov eax, dword ptr fs:[00000030h]		2_2_02D6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC6500 mov eax, dword ptr fs:[00000030h]		2_2_02DC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]		2_2_02E04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]		2_2_02E04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]		2_2_02E04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]		2_2_02E04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]		2_2_02E04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]		2_2_02E04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E04500 mov eax, dword ptr fs:[00000030h]		2_2_02E04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]		2_2_02D40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]		2_2_02D40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]		2_2_02D40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]		2_2_02D40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]		2_2_02D40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40535 mov eax, dword ptr fs:[00000030h]		2_2_02D40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]		2_2_02D5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]		2_2_02D5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]		2_2_02D5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]		2_2_02D5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E53E mov eax, dword ptr fs:[00000030h]		2_2_02D5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30AD0 mov eax, dword ptr fs:[00000030h]		2_2_02D30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D64AD0 mov eax, dword ptr fs:[00000030h]		2_2_02D64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D64AD0 mov eax, dword ptr fs:[00000030h]		2_2_02D64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D86ACC mov eax, dword ptr fs:[00000030h]		2_2_02D86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D86ACC mov eax, dword ptr fs:[00000030h]		2_2_02D86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D86ACC mov eax, dword ptr fs:[00000030h]		2_2_02D86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6AAEE mov eax, dword ptr fs:[00000030h]		2_2_02D6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6AAEE mov eax, dword ptr fs:[00000030h]		2_2_02D6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D68A90 mov edx, dword ptr fs:[00000030h]		2_2_02D68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3EA80 mov eax, dword ptr fs:[00000030h]		2_2_02D3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E04A80 mov eax, dword ptr fs:[00000030h]		2_2_02E04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D38AA0 mov eax, dword ptr fs:[00000030h]		2_2_02D38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D38AA0 mov eax, dword ptr fs:[00000030h]		2_2_02D38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D86AA4 mov eax, dword ptr fs:[00000030h]		2_2_02D86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]		2_2_02D36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]		2_2_02D36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]		2_2_02D36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]		2_2_02D36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]		2_2_02D36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]		2_2_02D36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36A50 mov eax, dword ptr fs:[00000030h]		2_2_02D36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40A5B mov eax, dword ptr fs:[00000030h]		2_2_02D40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40A5B mov eax, dword ptr fs:[00000030h]		2_2_02D40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DACA72 mov eax, dword ptr fs:[00000030h]		2_2_02DACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DACA72 mov eax, dword ptr fs:[00000030h]		2_2_02DACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6CA6F mov eax, dword ptr fs:[00000030h]		2_2_02D6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6CA6F mov eax, dword ptr fs:[00000030h]		2_2_02D6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6CA6F mov eax, dword ptr fs:[00000030h]		2_2_02D6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDEA60 mov eax, dword ptr fs:[00000030h]		2_2_02DDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBCA11 mov eax, dword ptr fs:[00000030h]		2_2_02DBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D54A35 mov eax, dword ptr fs:[00000030h]		2_2_02D54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D54A35 mov eax, dword ptr fs:[00000030h]		2_2_02D54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6CA38 mov eax, dword ptr fs:[00000030h]		2_2_02D6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6CA24 mov eax, dword ptr fs:[00000030h]		2_2_02D6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5EA2E mov eax, dword ptr fs:[00000030h]		2_2_02D5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDEBD0 mov eax, dword ptr fs:[00000030h]		2_2_02DDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D50BCB mov eax, dword ptr fs:[00000030h]		2_2_02D50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D50BCB mov eax, dword ptr fs:[00000030h]		2_2_02D50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D50BCB mov eax, dword ptr fs:[00000030h]		2_2_02D50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30BCD mov eax, dword ptr fs:[00000030h]		2_2_02D30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30BCD mov eax, dword ptr fs:[00000030h]		2_2_02D30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30BCD mov eax, dword ptr fs:[00000030h]		2_2_02D30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D38BF0 mov eax, dword ptr fs:[00000030h]		2_2_02D38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D38BF0 mov eax, dword ptr fs:[00000030h]		2_2_02D38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D38BF0 mov eax, dword ptr fs:[00000030h]		2_2_02D38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5EBFC mov eax, dword ptr fs:[00000030h]		2_2_02D5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBCBF0 mov eax, dword ptr fs:[00000030h]		2_2_02DBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40BBE mov eax, dword ptr fs:[00000030h]		2_2_02D40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D40BBE mov eax, dword ptr fs:[00000030h]		2_2_02D40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE4BB0 mov eax, dword ptr fs:[00000030h]		2_2_02DE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE4BB0 mov eax, dword ptr fs:[00000030h]		2_2_02DE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DDEB50 mov eax, dword ptr fs:[00000030h]		2_2_02DDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE4B4B mov eax, dword ptr fs:[00000030h]		2_2_02DE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE4B4B mov eax, dword ptr fs:[00000030h]		2_2_02DE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC6B40 mov eax, dword ptr fs:[00000030h]		2_2_02DC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC6B40 mov eax, dword ptr fs:[00000030h]		2_2_02DC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFAB40 mov eax, dword ptr fs:[00000030h]		2_2_02DFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD8B42 mov eax, dword ptr fs:[00000030h]		2_2_02DD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D2CB7E mov eax, dword ptr fs:[00000030h]		2_2_02D2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAEB1D mov eax, dword ptr fs:[00000030h]		2_2_02DAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5EB20 mov eax, dword ptr fs:[00000030h]		2_2_02D5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5EB20 mov eax, dword ptr fs:[00000030h]		2_2_02D5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF8B28 mov eax, dword ptr fs:[00000030h]		2_2_02DF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DF8B28 mov eax, dword ptr fs:[00000030h]		2_2_02DF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D5E8C0 mov eax, dword ptr fs:[00000030h]		2_2_02D5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6C8F9 mov eax, dword ptr fs:[00000030h]		2_2_02D6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6C8F9 mov eax, dword ptr fs:[00000030h]		2_2_02D6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFA8E4 mov eax, dword ptr fs:[00000030h]		2_2_02DFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBC89D mov eax, dword ptr fs:[00000030h]		2_2_02DBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D30887 mov eax, dword ptr fs:[00000030h]		2_2_02D30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D60854 mov eax, dword ptr fs:[00000030h]		2_2_02D60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D34859 mov eax, dword ptr fs:[00000030h]		2_2_02D34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D34859 mov eax, dword ptr fs:[00000030h]		2_2_02D34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D42840 mov ecx, dword ptr fs:[00000030h]		2_2_02D42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBE872 mov eax, dword ptr fs:[00000030h]		2_2_02DBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBE872 mov eax, dword ptr fs:[00000030h]		2_2_02DBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC6870 mov eax, dword ptr fs:[00000030h]		2_2_02DC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC6870 mov eax, dword ptr fs:[00000030h]		2_2_02DC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBC810 mov eax, dword ptr fs:[00000030h]		2_2_02DBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]		2_2_02D52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]		2_2_02D52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]		2_2_02D52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D52835 mov ecx, dword ptr fs:[00000030h]		2_2_02D52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]		2_2_02D52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D52835 mov eax, dword ptr fs:[00000030h]		2_2_02D52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D6A830 mov eax, dword ptr fs:[00000030h]		2_2_02D6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD483A mov eax, dword ptr fs:[00000030h]		2_2_02DD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD483A mov eax, dword ptr fs:[00000030h]		2_2_02DD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D3A9D0 mov eax, dword ptr fs:[00000030h]		2_2_02D3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D649D0 mov eax, dword ptr fs:[00000030h]		2_2_02D649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DFA9D3 mov eax, dword ptr fs:[00000030h]		2_2_02DFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC69C0 mov eax, dword ptr fs:[00000030h]		2_2_02DC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D629F9 mov eax, dword ptr fs:[00000030h]		2_2_02D629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D629F9 mov eax, dword ptr fs:[00000030h]		2_2_02D629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBE9E0 mov eax, dword ptr fs:[00000030h]		2_2_02DBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB89B3 mov esi, dword ptr fs:[00000030h]		2_2_02DB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB89B3 mov eax, dword ptr fs:[00000030h]		2_2_02DB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB89B3 mov eax, dword ptr fs:[00000030h]		2_2_02DB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D429A0 mov eax, dword ptr fs:[00000030h]		2_2_02D429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D309AD mov eax, dword ptr fs:[00000030h]		2_2_02D309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D309AD mov eax, dword ptr fs:[00000030h]		2_2_02D309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB0946 mov eax, dword ptr fs:[00000030h]		2_2_02DB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD4978 mov eax, dword ptr fs:[00000030h]		2_2_02DD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DD4978 mov eax, dword ptr fs:[00000030h]		2_2_02DD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBC97C mov eax, dword ptr fs:[00000030h]		2_2_02DBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D56962 mov eax, dword ptr fs:[00000030h]		2_2_02D56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D56962 mov eax, dword ptr fs:[00000030h]		2_2_02D56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D56962 mov eax, dword ptr fs:[00000030h]		2_2_02D56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D7096E mov eax, dword ptr fs:[00000030h]		2_2_02D7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D7096E mov edx, dword ptr fs:[00000030h]		2_2_02D7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D7096E mov eax, dword ptr fs:[00000030h]		2_2_02D7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DBC912 mov eax, dword ptr fs:[00000030h]		2_2_02DBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D28918 mov eax, dword ptr fs:[00000030h]		2_2_02D28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D28918 mov eax, dword ptr fs:[00000030h]		2_2_02D28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE908 mov eax, dword ptr fs:[00000030h]		2_2_02DAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DAE908 mov eax, dword ptr fs:[00000030h]		2_2_02DAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DB892A mov eax, dword ptr fs:[00000030h]		2_2_02DB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DC892B mov eax, dword ptr fs:[00000030h]		2_2_02DC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02DE6ED0 mov ecx, dword ptr fs:[00000030h]		2_2_02DE6ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D68EF5 mov eax, dword ptr fs:[00000030h]		2_2_02D68EF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36EE0 mov eax, dword ptr fs:[00000030h]		2_2_02D36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02D36EE0 mov eax, dword ptr fs:[00000030h]		2_2_02D36EE0

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E7A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00E7A66C

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E681AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E681AC
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E68189 SetUnhandledExceptionFilter,		0_2_00E68189

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtOpenSection: Direct from: 0x76EF2E0C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtCreateFile: Direct from: 0x76EF2FEC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtOpenFile: Direct from: 0x76EF2DCC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtTerminateThread: Direct from: 0x76EF2FCC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtCreateMutant: Direct from: 0x76EF35CC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtResumeThread: Direct from: 0x76EF36AC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtReadFile: Direct from: 0x76EF2ADC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtDelayExecution: Direct from: 0x76EF2DDC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtResumeThread: Direct from: 0x76EF2FBC			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtCreateUserProcess: Direct from: 0x76EF371C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtSetInformationThread: Direct from: 0x76EE63F9			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtSetInformationThread: Direct from: 0x76EF2B4C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	NtCreateKey: Direct from: 0x76EF2C6C			Jump to behavior

Source: C:\Users\user\Desktop\Fi#U015f.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\icsunattend.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: NULL target: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: NULL target: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\icsunattend.exe

Thread register set: target process: 2260

Jump to behavior

Source: C:\Windows\SysWOW64\icsunattend.exe

Thread APC queued: target process: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe

Jump to behavior

Source: C:\Users\user\Desktop\Fi#U015f.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2355008

Jump to behavior

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E7B106 LogonUserW,

0_2_00E7B106

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E43D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E43D19

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E8411C SendInput,keybd_event,

0_2_00E8411C

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E874E7 mouse_event,

0_2_00E874E7

Source: C:\Users\user\Desktop\Fi#U015f.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Fi#U015f.exe"			Jump to behavior
Source: C:\Program Files (x86)\qgNvKFZijGVkcEEPSgzrvAetYjwdrgHDFEvmGJpEGoeV\hnmibsTvfR.exe	Process created: C:\Windows\SysWOW64\icsunattend.exe "C:\Windows\SysWOW64\icsunattend.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E7A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00E7A66C

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E871FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E871FA

Source: hnmibsTvfR.exe, 00000004.00000000.2476741162.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000004.00000002.3302971750.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3303735679.0000000000DB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Fi#U015f.exe, hnmibsTvfR.exe, 00000004.00000000.2476741162.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000004.00000002.3302971750.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3303735679.0000000000DB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: hnmibsTvfR.exe, 00000004.00000000.2476741162.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000004.00000002.3302971750.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3303735679.0000000000DB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Fi#U015f.exe	Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: hnmibsTvfR.exe, 00000004.00000000.2476741162.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000004.00000002.3302971750.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, hnmibsTvfR.exe, 00000007.00000002.3303735679.0000000000DB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E665C4 cpuid

0_2_00E665C4

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E9091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00E9091D

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00EBB340 GetUserNameW,

0_2_00EBB340

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E71E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E71E8E

Source: C:\Users\user\Desktop\Fi#U015f.exe

Code function: 0_2_00E5DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E5DDC0

Stealing of Sensitive Information

Source: Yara match	File source: 2.2.svchost.exe.2140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3303150675.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552287327.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552706561.0000000003400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552000811.0000000002140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3303269624.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3301917962.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3303084240.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\icsunattend.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State			Jump to behavior
Source: C:\Windows\SysWOW64\icsunattend.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies			Jump to behavior

Source: C:\Windows\SysWOW64\icsunattend.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Fi#U015f.exe	Binary or memory string: WIN_81
Source: Fi#U015f.exe	Binary or memory string: WIN_XP
Source: Fi#U015f.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: Fi#U015f.exe	Binary or memory string: WIN_XPe
Source: Fi#U015f.exe	Binary or memory string: WIN_VISTA
Source: Fi#U015f.exe	Binary or memory string: WIN_7
Source: Fi#U015f.exe	Binary or memory string: WIN_8

Remote Access Functionality

Source: Yara match	File source: 2.2.svchost.exe.2140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3303150675.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552287327.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552706561.0000000003400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2552000811.0000000002140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3303269624.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3301917962.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3303084240.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E98C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00E98C4F
Source: C:\Users\user\Desktop\Fi#U015f.exe	Code function: 0_2_00E9923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00E9923B