Edit tour

Windows Analysis Report
iJIXzyHnSe.exe

Overview

General Information

Sample name:	iJIXzyHnSe.exe renamed because original name is a hash value
Original sample name:	2ecbb9f3d09ceaedf9d157954c4f57d82462ea7e400134df859d9eb627f54af9.exe
Analysis ID:	1632251
MD5:	b58bb58a11995fe6077c5dda77c8a92c
SHA1:	07fb3b9d3aeb62934ff2a21606df0d5ba56d978b
SHA256:	2ecbb9f3d09ceaedf9d157954c4f57d82462ea7e400134df859d9eb627f54af9
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

iJIXzyHnSe.exe (PID: 8160 cmdline: "C:\Users\user\Desktop\iJIXzyHnSe.exe" MD5: B58BB58A11995FE6077C5DDA77C8A92C)

svchost.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\iJIXzyHnSe.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

Mevt3bFU1HpLudwL.exe (PID: 6520 cmdline: "C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\SzGWuVGmZ.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

TSTheme.exe (PID: 5520 cmdline: "C:\Windows\SysWOW64\TSTheme.exe" MD5: 6634A157115551E6DDDFB4748C0565FB)

Mevt3bFU1HpLudwL.exe (PID: 6868 cmdline: "C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\ImgATVWlRAXer.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 2052 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2586607235.00000000003A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1687606266.0000000000530000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2587633292.0000000001290000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2587704648.0000000000980000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2587850827.0000000005B60000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2587769464.00000000009D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1688517873.0000000006750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.530000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.530000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\iJIXzyHnSe.exe", CommandLine: "C:\Users\user\Desktop\iJIXzyHnSe.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\iJIXzyHnSe.exe", ParentImage: C:\Users\user\Desktop\iJIXzyHnSe.exe, ParentProcessId: 8160, ParentProcessName: iJIXzyHnSe.exe, ProcessCommandLine: "C:\Users\user\Desktop\iJIXzyHnSe.exe", ProcessId: 6852, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\iJIXzyHnSe.exe", CommandLine: "C:\Users\user\Desktop\iJIXzyHnSe.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\iJIXzyHnSe.exe", ParentImage: C:\Users\user\Desktop\iJIXzyHnSe.exe, ParentProcessId: 8160, ParentProcessName: iJIXzyHnSe.exe, ProcessCommandLine: "C:\Users\user\Desktop\iJIXzyHnSe.exe", ProcessId: 6852, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:33:38.215657+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49699	172.67.194.22	80	TCP
2025-03-07T21:34:02.900316+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49703	47.83.1.90	80	TCP
2025-03-07T21:34:16.219723+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49707	209.74.64.58	80	TCP
2025-03-07T21:34:38.763925+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49711	172.67.178.185	80	TCP
2025-03-07T21:34:52.082294+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49715	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:33:38.215657+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49699	172.67.194.22	80	TCP
2025-03-07T21:34:02.900316+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49703	47.83.1.90	80	TCP
2025-03-07T21:34:16.219723+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49707	209.74.64.58	80	TCP
2025-03-07T21:34:38.763925+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49711	172.67.178.185	80	TCP
2025-03-07T21:34:52.082294+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49715	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:33:54.833099+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49700	47.83.1.90	80	TCP
2025-03-07T21:33:57.380028+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49701	47.83.1.90	80	TCP
2025-03-07T21:34:00.005011+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49702	47.83.1.90	80	TCP
2025-03-07T21:34:08.539258+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49704	209.74.64.58	80	TCP
2025-03-07T21:34:11.114424+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49705	209.74.64.58	80	TCP
2025-03-07T21:34:13.639452+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49706	209.74.64.58	80	TCP
2025-03-07T21:34:30.100341+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49708	172.67.178.185	80	TCP
2025-03-07T21:34:32.672734+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49709	172.67.178.185	80	TCP
2025-03-07T21:34:35.170198+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49710	172.67.178.185	80	TCP
2025-03-07T21:34:44.344950+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49712	13.248.169.48	80	TCP
2025-03-07T21:34:47.942849+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49713	13.248.169.48	80	TCP
2025-03-07T21:34:49.552290+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49714	13.248.169.48	80	TCP
2025-03-07T21:34:59.630416+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49716	45.199.72.207	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: iJIXzyHnSe.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.autonomousrich.xyz/h13r/	Avira URL Cloud: Label: malware
Source: http://www.autonomousrich.xyz	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: iJIXzyHnSe.exe	Virustotal: Detection: 69%			Perma Link
Source: iJIXzyHnSe.exe	ReversingLabs: Detection: 63%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2586607235.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1687606266.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2587633292.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2587704648.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2587850827.0000000005B60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2587769464.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1688517873.0000000006750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: iJIXzyHnSe.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: TSTheme.pdb source: svchost.exe, 00000001.00000003.1656208925.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1656267491.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587322340.000000000105E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: iJIXzyHnSe.exe, 00000000.00000003.1338028593.0000000004040000.00000004.00001000.00020000.00000000.sdmp, iJIXzyHnSe.exe, 00000000.00000003.1336186797.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1583203958.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1688100189.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1581383537.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1688100189.0000000003200000.00000040.00001000.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000003.1688263359.0000000004205000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2588019678.0000000004570000.00000040.00001000.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000003.1695203817.00000000043BE000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2588019678.000000000470E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: iJIXzyHnSe.exe, 00000000.00000003.1338028593.0000000004040000.00000004.00001000.00020000.00000000.sdmp, iJIXzyHnSe.exe, 00000000.00000003.1336186797.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1583203958.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1688100189.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1581383537.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1688100189.0000000003200000.00000040.00001000.00020000.00000000.sdmp, TSTheme.exe, TSTheme.exe, 00000005.00000003.1688263359.0000000004205000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2588019678.0000000004570000.00000040.00001000.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000003.1695203817.00000000043BE000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2588019678.000000000470E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: TSTheme.pdbGCTL source: svchost.exe, 00000001.00000003.1656208925.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1656267491.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587322340.000000000105E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: TSTheme.exe, 00000005.00000002.2588600487.0000000004B9C000.00000004.10000000.00040000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2586774749.0000000000736000.00000004.00000020.00020000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000002.2588329125.000000000308C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1989877917.00000000062FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: TSTheme.exe, 00000005.00000002.2588600487.0000000004B9C000.00000004.10000000.00040000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2586774749.0000000000736000.00000004.00000020.00020000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000002.2588329125.000000000308C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1989877917.00000000062FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587184569.0000000000CBF000.00000002.00000001.01000000.00000004.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000002.2586779777.0000000000CBF000.00000002.00000001.01000000.00000004.sdmp

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0100445A
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0100C75C
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100C6D1 FindFirstFileW,FindClose,	0_2_0100C6D1
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0100EF95
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0100F0F2
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0100F3F3
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_010037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_010037EF
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_01003B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_01003B12
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0100BCBC
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003BC800 FindFirstFileW,FindNextFileW,FindClose,	5_2_003BC800

Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 4x nop then xor eax, eax	5_2_003A9F40
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 4x nop then pop edi	5_2_003AE4B0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_043B04E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49712 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49701 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49710 -> 172.67.178.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49714 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49700 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49704 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49711 -> 172.67.178.185:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49711 -> 172.67.178.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49702 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49707 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49699 -> 172.67.194.22:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49707 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49699 -> 172.67.194.22:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49703 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49703 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49716 -> 45.199.72.207:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49706 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49705 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49708 -> 172.67.178.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49709 -> 172.67.178.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49713 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49715 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49715 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.l51127.xyz
Source:	DNS query: www.autonomousrich.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 47.83.1.90 47.83.1.90

Source: Joe Sandbox View

ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_010122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_010122EE

Source: global traffic	HTTP traffic detected: GET /vvhu/?vJ=DfMhyl&1Tpt5v=ToQPTQEeBo/3WbFD27iKgRgy3lYWqICFbWgw5yJqkITIS1Xd2bAo+Gdrgh2GHhRhHkbupNVk/f1NcFKzK763eBmbeyAzeu5qFPkDDoEZ2/g2T9PvVFGyQr8+bbk3LpZJVA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.jili999.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Source: global traffic	HTTP traffic detected: GET /s4j0/?1Tpt5v=+lmvhUFqzl3K/nVRk9sEcA+46juHvAXirG2gJVeHxcm6dNAQjXGpnGgIeGQjz9/Kjc8Rf4uwaXmdJ2ubuv8xWwO5DI8G34FJTnZE1bP0Qqwn7JmBd99/LbLk6ZelSDYymA==&vJ=DfMhyl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.vvxcss.infoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Source: global traffic	HTTP traffic detected: GET /dsk6/?vJ=DfMhyl&1Tpt5v=PfMKpDcpCugVIVUsUafU8LcPsvz7P2NcJNp6vhvuz2VdeailpF+jhxQZvGxtWLQMNbEbsfHhxSQBPKLXleOmzZyTJU5yJ3NdEXLiQDur6OO20ejoZZLQygrEfvoVn6LqBA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.zenithphere.siteConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Source: global traffic	HTTP traffic detected: GET /myk2/?1Tpt5v=5oHjPE956XNrKACWkGh3b0r8Js1iMLCPcxe938XA1nf7tdToUgCBGOz6v3wpZbq6BTJhlgB3dlbJd/F0Xc3Ddwi6mIyWrDYycB2WZ8TY6XgUSFpR7i095IzYgHZKOWqHmQ==&vJ=DfMhyl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kalebetgirislinki.fitConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Source: global traffic	HTTP traffic detected: GET /h13r/?1Tpt5v=N6cdqIFByFzUSlguQKxJf51ACzUp3jnWSylDNr7JTiQpMCniMz5ei4LxPNTC4V3TUKvfe/TegNOjxJoGcRBSkpTyHsw36T99ame1WBpfcyt49bex8/dd1joALjtsf95T+w==&vJ=DfMhyl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.autonomousrich.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0

Source: global traffic	DNS traffic detected: DNS query: www.jili999.net
Source: global traffic	DNS traffic detected: DNS query: www.vvxcss.info
Source: global traffic	DNS traffic detected: DNS query: www.zenithphere.site
Source: global traffic	DNS traffic detected: DNS query: www.l51127.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kalebetgirislinki.fit
Source: global traffic	DNS traffic detected: DNS query: www.autonomousrich.xyz
Source: global traffic	DNS traffic detected: DNS query: www.banjia0731.icu

Source: unknown

HTTP traffic detected: POST /s4j0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.vvxcss.infoOrigin: http://www.vvxcss.infoReferer: http://www.vvxcss.info/s4j0/Content-Type: application/x-www-form-urlencodedContent-Length: 207Connection: closeCache-Control: no-cacheUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0Data Raw: 31 54 70 74 35 76 3d 7a 6e 4f 50 69 67 73 6c 36 6e 2f 4d 73 53 39 38 6f 6f 38 54 64 56 32 6f 7a 7a 47 38 69 43 7a 4c 79 55 2b 4d 46 58 69 79 2b 35 65 34 56 4f 38 5a 70 48 65 76 70 31 51 4c 66 31 6c 79 38 64 54 42 69 73 77 70 48 4d 65 52 61 57 36 77 4f 6d 58 2f 77 74 38 53 4a 6a 4f 6f 62 4a 38 4b 36 71 73 6e 57 6b 4e 79 70 5a 54 56 52 49 6b 33 6d 72 65 6f 45 4e 78 75 50 35 62 53 38 35 57 2f 43 54 5a 49 31 58 42 39 45 59 30 61 58 48 71 52 32 62 2b 32 34 49 68 56 38 66 45 62 2b 41 34 2b 73 54 71 55 66 76 72 58 76 30 39 6c 43 4e 58 54 31 77 72 30 4b 6f 37 61 55 48 7a 73 73 31 4f 74 6e 34 34 36 4d 5a 61 77 58 6c 6f 3d Data Ascii: 1Tpt5v=znOPigsl6n/MsS98oo8TdV2ozzG8iCzLyU+MFXiy+5e4VO8ZpHevp1QLf1ly8dTBiswpHMeRaW6wOmX/wt8SJjOobJ8K6qsnWkNypZTVRIk3mreoENxuP5bS85W/CTZI1XB9EY0aXHqR2b+24IhV8fEb+A4+sTqUfvrXv09lCNXT1wr0Ko7aUHzss1Otn446MZawXlo=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:34:08 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:34:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:34:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:34:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:34:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3egZlY%2FGjolpZEF03TfrXnlbV9GSjK4KZSf8AAceqzX3ZErlXtKgU8Yh9EMuIXCAaEVIbZkkxIeqo11I0MnBM9vXQA4Beogwd6rWMKaxrzLQkAdmVGQiN1RXF%2Ft%2B3riTfeH%2BUGllcWiTag8M"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ccdfb7fc180c7c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1542&min_rtt=1542&rtt_var=771&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=726&delivery_rate=0&cwnd=95&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:34:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ve75nKLs5KsrGx5jICraveBlZkqegXHeVYu9hSw8xoD4pJ7t1vfCGiVv%2FEyh4Syo8tK9tolShFdvqBOyH5G%2BxlPiI%2FvZ4oNQ3DWO57YQpW5kF7Osk6S1QAeSe8H3JLG%2BmhbzTuyOz9IuqoHR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ccdfc81d9952d3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2416&min_rtt=2416&rtt_var=1208&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=746&delivery_rate=0&cwnd=87&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:34:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Ec7GejmTfGkHgdrG89%2B0no4xdokuLbQzNPeTIKezJrfjSIDv0ppF9Li4UCrKrO2hBuJ3XD7UoMrv8m3yjOhUPbNPoNlf8PGorrXU5KVaEoQMmvL2LlEDWBz4Fg5tONhBwmiE8uM%2BQm6c9AT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ccdfd7bed40f3e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1642&rtt_var=821&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=906&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:34:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mk9iNOIGUujBIL5hKuteqxGLCyf7SFUD5SWY0T9DkJs9EDXDIGwZiwwDA%2FKue3Ahxc4wtKyMTxPLFItVkr1HbCpKaCY8llRrZNeh8bbFo0cGRbd1ZVE%2FHQpPkrf6qotnHt%2FqpAoUtVbKFtjt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ccdfe7a86278e8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1990&rtt_var=995&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=450&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 0d 0a 0a 0a 0a 0d 0a Data Ascii: 3

Source: TSTheme.exe, 00000005.00000002.2588600487.00000000055CC000.00000004.10000000.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000002.2588329125.0000000003ABC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: Mevt3bFU1HpLudwL.exe, 00000006.00000002.2587633292.00000000012EC000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.autonomousrich.xyz
Source: Mevt3bFU1HpLudwL.exe, 00000006.00000002.2587633292.00000000012EC000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.autonomousrich.xyz/h13r/
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: TSTheme.exe, 00000005.00000002.2588600487.0000000004F84000.00000004.10000000.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000002.2588329125.0000000003474000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1989877917.00000000066E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://jili999.net/vvhu/?vJ=DfMhyl&1Tpt5v=ToQPTQEeBo/3WbFD27iKgRgy3lYWqICFbWgw5yJqkITIS1Xd2bAo
Source: TSTheme.exe, 00000005.00000002.2586774749.0000000000750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: TSTheme.exe, 00000005.00000002.2586774749.0000000000750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: TSTheme.exe, 00000005.00000002.2586774749.0000000000750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: TSTheme.exe, 00000005.00000002.2586774749.0000000000750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: TSTheme.exe, 00000005.00000002.2586774749.0000000000750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: TSTheme.exe, 00000005.00000002.2586774749.0000000000750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: TSTheme.exe, 00000005.00000003.1872048009.0000000007632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: TSTheme.exe, 00000005.00000002.2590356738.000000000765B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_01014164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01014164

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_01014164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01014164

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_01013F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_01013F66

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_0100001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0100001C

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_0102CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0102CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2586607235.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1687606266.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2587633292.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2587704648.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2587850827.0000000005B60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2587769464.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1688517873.0000000006750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00FA3B3A
Source: iJIXzyHnSe.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: iJIXzyHnSe.exe, 00000000.00000002.1340132666.0000000001054000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e977560c-d
Source: iJIXzyHnSe.exe, 00000000.00000002.1340132666.0000000001054000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_8e7a90d6-6
Source: iJIXzyHnSe.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7f368f70-2
Source: iJIXzyHnSe.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0e97fb60-e

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0055C8F3 NtClose,	1_2_0055C8F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032735C0 NtCreateMutant,LdrInitializeThunk,	1_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272B60 NtClose,LdrInitializeThunk,	1_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03274340 NtSetContextThread,	1_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273010 NtOpenDirectoryObject,	1_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273090 NtSetValueKey,	1_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03274650 NtSuspendThread,	1_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BA0 NtEnumerateValueKey,	1_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272B80 NtQueryInformationFile,	1_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BE0 NtQueryValueKey,	1_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BF0 NtAllocateVirtualMemory,	1_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AB0 NtWaitForSingleObject,	1_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AF0 NtWriteFile,	1_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AD0 NtReadFile,	1_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032739B0 NtGetContextThread,	1_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F30 NtCreateSection,	1_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F60 NtCreateProcessEx,	1_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FA0 NtQuerySection,	1_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FB0 NtResumeThread,	1_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F90 NtProtectVirtualMemory,	1_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FE0 NtCreateFile,	1_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272E30 NtWriteVirtualMemory,	1_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272EA0 NtAdjustPrivilegesToken,	1_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272E80 NtReadVirtualMemory,	1_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272EE0 NtQueueApcThread,	1_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D30 NtUnmapViewOfSection,	1_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D00 NtSetInformationFile,	1_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D10 NtMapViewOfSection,	1_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273D10 NtOpenProcessToken,	1_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273D70 NtOpenThread,	1_2_03273D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DB0 NtEnumerateKey,	1_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DD0 NtDelayExecution,	1_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C00 NtQueryInformationProcess,	1_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C60 NtCreateKey,	1_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C70 NtFreeVirtualMemory,	1_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CA0 NtQueryInformationToken,	1_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CF0 NtOpenProcess,	1_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CC0 NtQueryVirtualMemory,	1_2_03272CC0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E4650 NtSuspendThread,LdrInitializeThunk,	5_2_045E4650
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E4340 NtSetContextThread,LdrInitializeThunk,	5_2_045E4340
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_045E2C70
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2C60 NtCreateKey,LdrInitializeThunk,	5_2_045E2C60
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_045E2CA0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_045E2D10
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_045E2D30
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_045E2DD0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_045E2DF0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_045E2EE0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_045E2E80
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2F30 NtCreateSection,LdrInitializeThunk,	5_2_045E2F30
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2FE0 NtCreateFile,LdrInitializeThunk,	5_2_045E2FE0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2FB0 NtResumeThread,LdrInitializeThunk,	5_2_045E2FB0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2AD0 NtReadFile,LdrInitializeThunk,	5_2_045E2AD0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2AF0 NtWriteFile,LdrInitializeThunk,	5_2_045E2AF0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2B60 NtClose,LdrInitializeThunk,	5_2_045E2B60
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_045E2BF0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_045E2BE0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_045E2BA0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E35C0 NtCreateMutant,LdrInitializeThunk,	5_2_045E35C0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E39B0 NtGetContextThread,LdrInitializeThunk,	5_2_045E39B0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2C00 NtQueryInformationProcess,	5_2_045E2C00
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2CC0 NtQueryVirtualMemory,	5_2_045E2CC0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2CF0 NtOpenProcess,	5_2_045E2CF0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2D00 NtSetInformationFile,	5_2_045E2D00
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2DB0 NtEnumerateKey,	5_2_045E2DB0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2E30 NtWriteVirtualMemory,	5_2_045E2E30
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2EA0 NtAdjustPrivilegesToken,	5_2_045E2EA0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2F60 NtCreateProcessEx,	5_2_045E2F60
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2F90 NtProtectVirtualMemory,	5_2_045E2F90
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2FA0 NtQuerySection,	5_2_045E2FA0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2AB0 NtWaitForSingleObject,	5_2_045E2AB0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E2B80 NtQueryInformationFile,	5_2_045E2B80
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E3010 NtOpenDirectoryObject,	5_2_045E3010
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E3090 NtSetValueKey,	5_2_045E3090
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E3D70 NtOpenThread,	5_2_045E3D70
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E3D10 NtOpenProcessToken,	5_2_045E3D10
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003C92D0 NtCreateFile,	5_2_003C92D0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003C9430 NtReadFile,	5_2_003C9430
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003C9520 NtDeleteFile,	5_2_003C9520
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003C95C0 NtClose,	5_2_003C95C0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003C9710 NtAllocateVirtualMemory,	5_2_003C9710

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_0100A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0100A1EF

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FF8310

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_010051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_010051BD

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FAE6A0	0_2_00FAE6A0
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FCD975	0_2_00FCD975
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FC21C5	0_2_00FC21C5
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FD62D2	0_2_00FD62D2
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_010203DA	0_2_010203DA
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FD242E	0_2_00FD242E
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FC25FA	0_2_00FC25FA
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FB66E1	0_2_00FB66E1
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FFE616	0_2_00FFE616
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FD878F	0_2_00FD878F
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FD6844	0_2_00FD6844
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FB8808	0_2_00FB8808
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_01020857	0_2_01020857
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_01008889	0_2_01008889
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FCCB21	0_2_00FCCB21
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FD6DB6	0_2_00FD6DB6
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FB6F9E	0_2_00FB6F9E
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FB3030	0_2_00FB3030
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FCF1D9	0_2_00FCF1D9
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FC3187	0_2_00FC3187
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FA1287	0_2_00FA1287
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FC1484	0_2_00FC1484
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FB5520	0_2_00FB5520
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FC7696	0_2_00FC7696
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FB5760	0_2_00FB5760
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FC1978	0_2_00FC1978
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FD9AB5	0_2_00FD9AB5
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FAFCE0	0_2_00FAFCE0
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_01027DDB	0_2_01027DDB
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FCBDA6	0_2_00FCBDA6
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FC1D90	0_2_00FC1D90
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FB3FE0	0_2_00FB3FE0
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FADF00	0_2_00FADF00
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_015D3660	0_2_015D3660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00548973	1_2_00548973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_005310F0	1_2_005310F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_005330B0	1_2_005330B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_005401B3	1_2_005401B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00546B73	1_2_00546B73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00532BD0	1_2_00532BD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_005403D3	1_2_005403D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0053E3E3	1_2_0053E3E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00532450	1_2_00532450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0053244F	1_2_0053244F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0053E533	1_2_0053E533
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0053E529	1_2_0053E529
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0055EEB3	1_2_0055EEB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00532760	1_2_00532760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F132D	1_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322D34C	1_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FA352	1_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0328739A	1_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033003E6	1_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032452A0	1_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C02C0	1_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230100	1_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327516C	1_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330B16B	1_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C8158	1_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324B1B0	1_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033001AA	1_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F81CC	1_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F70E9	1_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF0E0	1_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EF0CC	1_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264750	1_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF7B0	1_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323C7C0	1_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325C6E0	1_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F16CC	1_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7571	1_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DD5B0	1_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03300591	1_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF43F	1_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03231460	1_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F2446	1_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EE4F6	1_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFB76	1_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FAB40	1_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325FB80	1_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B5BF0	1_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327DBF9	1_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F6BD7	1_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B3A6C	1_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFA49	1_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7A46	1_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DDAAC	1_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03285AA0	1_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EDAC6	1_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03249950	1_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B950	1_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330A9A6	1_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AD800	1_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03242840	1_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324A840	1_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032268B8	1_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032438E0	1_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E8F0	1_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03282F28	1_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260F30	1_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFF09	1_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4F40	1_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BEFA0	1_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFFB1	1_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241F92	1_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324CFE0	1_2_0324CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232FC8	1_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FEE26	1_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240E59	1_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03249EB0	1_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252E90	1_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FCE93	1_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FEEDB	1_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324AD00	1_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7D73	1_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03243D40	1_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F1D5A	1_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03258DBF	1_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323ADE0	1_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325FDC0	1_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B9C32	1_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240C00	1_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0CB5	1_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230CF2	1_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFCF2	1_2_032FFCF2
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04662446	5_2_04662446
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04654420	5_2_04654420
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0465E4F6	5_2_0465E4F6
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B0535	5_2_045B0535
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04670591	5_2_04670591
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045CC6E0	5_2_045CC6E0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045D4750	5_2_045D4750
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B0770	5_2_045B0770
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045AC7C0	5_2_045AC7C0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04642000	5_2_04642000
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04638158	5_2_04638158
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045A0100	5_2_045A0100
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0464A118	5_2_0464A118
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_046681CC	5_2_046681CC
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_046701AA	5_2_046701AA
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04650274	5_2_04650274
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_046302C0	5_2_046302C0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466A352	5_2_0466A352
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_046703E6	5_2_046703E6
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045BE3F0	5_2_045BE3F0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B0C00	5_2_045B0C00
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045A0CF2	5_2_045A0CF2
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04650CB5	5_2_04650CB5
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045BAD00	5_2_045BAD00
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0464CD1F	5_2_0464CD1F
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045AADE0	5_2_045AADE0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045C8DBF	5_2_045C8DBF
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B0E59	5_2_045B0E59
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466EE26	5_2_0466EE26
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466EEDB	5_2_0466EEDB
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045C2E90	5_2_045C2E90
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466CE93	5_2_0466CE93
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04624F40	5_2_04624F40
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04652F30	5_2_04652F30
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045D0F30	5_2_045D0F30
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045F2F28	5_2_045F2F28
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045A2FC8	5_2_045A2FC8
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045BCFE0	5_2_045BCFE0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0462EFA0	5_2_0462EFA0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045BA840	5_2_045BA840
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B2840	5_2_045B2840
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045DE8F0	5_2_045DE8F0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045968B8	5_2_045968B8
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045C6962	5_2_045C6962
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0467A9A6	5_2_0467A9A6
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B29A0	5_2_045B29A0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045AEA80	5_2_045AEA80
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466AB40	5_2_0466AB40
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04666BD7	5_2_04666BD7
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045A1460	5_2_045A1460
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466F43F	5_2_0466F43F
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04667571	5_2_04667571
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B750D	5_2_045B750D
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0464D5B0	5_2_0464D5B0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_046616CC	5_2_046616CC
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466F7B0	5_2_0466F7B0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466F0E0	5_2_0466F0E0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_046670E9	5_2_046670E9
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B70C0	5_2_045B70C0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0465F0CC	5_2_0465F0CC
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0467B16B	5_2_0467B16B
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0459F172	5_2_0459F172
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045E516C	5_2_045E516C
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045BB1B0	5_2_045BB1B0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_046512ED	5_2_046512ED
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045CB2C0	5_2_045CB2C0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B52A0	5_2_045B52A0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0459D34C	5_2_0459D34C
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466132D	5_2_0466132D
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045F739A	5_2_045F739A
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04629C32	5_2_04629C32
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466FCF2	5_2_0466FCF2
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04667D73	5_2_04667D73
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B3D40	5_2_045B3D40
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04661D5A	5_2_04661D5A
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045CFDC0	5_2_045CFDC0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B9EB0	5_2_045B9EB0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466FF09	5_2_0466FF09
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04573FD5	5_2_04573FD5
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04573FD2	5_2_04573FD2
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B1F92	5_2_045B1F92
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466FFB1	5_2_0466FFB1
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0461D800	5_2_0461D800
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B38E0	5_2_045B38E0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045B9950	5_2_045B9950
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045CB950	5_2_045CB950
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04645910	5_2_04645910
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04623A6C	5_2_04623A6C
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04667A46	5_2_04667A46
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466FA49	5_2_0466FA49
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0465DAC6	5_2_0465DAC6
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04651AA3	5_2_04651AA3
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0464DAAC	5_2_0464DAAC
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045F5AA0	5_2_045F5AA0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0466FB76	5_2_0466FB76
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_04625BF0	5_2_04625BF0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045EDBF9	5_2_045EDBF9
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045CFB80	5_2_045CFB80
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003B1FC0	5_2_003B1FC0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003ACE80	5_2_003ACE80
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003AB0B0	5_2_003AB0B0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003AD0A0	5_2_003AD0A0
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003AB1F6	5_2_003AB1F6
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003AB200	5_2_003AB200
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003B5640	5_2_003B5640
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003B3840	5_2_003B3840
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003CBB80	5_2_003CBB80
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043BE77C	5_2_043BE77C
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043BE2C4	5_2_043BE2C4
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043BE3E3	5_2_043BE3E3
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043BD848	5_2_043BD848
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043BE8FE	5_2_043BE8FE
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043BCA69	5_2_043BCA69
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043BCAE8	5_2_043BCAE8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 98 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 272 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 105 times
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: String function: 0461EA12 appears 86 times
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: String function: 045F7E54 appears 102 times
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: String function: 0459B970 appears 278 times
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: String function: 0462F290 appears 105 times
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: String function: 045E5130 appears 58 times
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: String function: 00FC0AE3 appears 70 times
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: String function: 00FC8900 appears 42 times
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: String function: 00FA7DE1 appears 35 times

Source: iJIXzyHnSe.exe, 00000000.00000003.1337910696.0000000003FC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs iJIXzyHnSe.exe
Source: iJIXzyHnSe.exe, 00000000.00000003.1338470491.000000000416D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs iJIXzyHnSe.exe

Source: iJIXzyHnSe.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@7/5

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_0100A06A GetLastError,FormatMessageW,

0_2_0100A06A

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FF81CB AdjustTokenPrivileges,CloseHandle,		0_2_00FF81CB
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FF87E1

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_0100B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0100B333

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_0101EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0101EE0D

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_0100C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0100C397

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FA4E89

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

File created: C:\Users\user\AppData\Local\Temp\autDFB5.tmp

Jump to behavior

Source: iJIXzyHnSe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TSTheme.exe, 00000005.00000002.2586774749.00000000007C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINXg\|ENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: TSTheme.exe, 00000005.00000002.2586774749.000000000078F000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2586774749.00000000007B0000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2586774749.00000000007E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: iJIXzyHnSe.exe	Virustotal: Detection: 69%
Source: iJIXzyHnSe.exe	ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\iJIXzyHnSe.exe "C:\Users\user\Desktop\iJIXzyHnSe.exe"
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\iJIXzyHnSe.exe"
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Process created: C:\Windows\SysWOW64\TSTheme.exe "C:\Windows\SysWOW64\TSTheme.exe"
Source: C:\Windows\SysWOW64\TSTheme.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\iJIXzyHnSe.exe"	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Process created: C:\Windows\SysWOW64\TSTheme.exe "C:\Windows\SysWOW64\TSTheme.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\TSTheme.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\TSTheme.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: iJIXzyHnSe.exe

Static file information: File size 1211392 > 1048576

Source: iJIXzyHnSe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iJIXzyHnSe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iJIXzyHnSe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iJIXzyHnSe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iJIXzyHnSe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iJIXzyHnSe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: iJIXzyHnSe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: TSTheme.pdb source: svchost.exe, 00000001.00000003.1656208925.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1656267491.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587322340.000000000105E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: iJIXzyHnSe.exe, 00000000.00000003.1338028593.0000000004040000.00000004.00001000.00020000.00000000.sdmp, iJIXzyHnSe.exe, 00000000.00000003.1336186797.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1583203958.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1688100189.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1581383537.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1688100189.0000000003200000.00000040.00001000.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000003.1688263359.0000000004205000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2588019678.0000000004570000.00000040.00001000.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000003.1695203817.00000000043BE000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2588019678.000000000470E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: iJIXzyHnSe.exe, 00000000.00000003.1338028593.0000000004040000.00000004.00001000.00020000.00000000.sdmp, iJIXzyHnSe.exe, 00000000.00000003.1336186797.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1583203958.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1688100189.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1581383537.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1688100189.0000000003200000.00000040.00001000.00020000.00000000.sdmp, TSTheme.exe, TSTheme.exe, 00000005.00000003.1688263359.0000000004205000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2588019678.0000000004570000.00000040.00001000.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000003.1695203817.00000000043BE000.00000004.00000020.00020000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2588019678.000000000470E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: TSTheme.pdbGCTL source: svchost.exe, 00000001.00000003.1656208925.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1656267491.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587322340.000000000105E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: TSTheme.exe, 00000005.00000002.2588600487.0000000004B9C000.00000004.10000000.00040000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2586774749.0000000000736000.00000004.00000020.00020000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000002.2588329125.000000000308C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1989877917.00000000062FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: TSTheme.exe, 00000005.00000002.2588600487.0000000004B9C000.00000004.10000000.00040000.00000000.sdmp, TSTheme.exe, 00000005.00000002.2586774749.0000000000736000.00000004.00000020.00020000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000002.2588329125.000000000308C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1989877917.00000000062FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587184569.0000000000CBF000.00000002.00000001.01000000.00000004.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000002.2586779777.0000000000CBF000.00000002.00000001.01000000.00000004.sdmp

Source: iJIXzyHnSe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iJIXzyHnSe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iJIXzyHnSe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iJIXzyHnSe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iJIXzyHnSe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FA4B37 LoadLibraryA,GetProcAddress,

0_2_00FA4B37

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FC8945 push ecx; ret	0_2_00FC8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00531A00 push ecx; ret	1_2_00531A42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00539919 push ds; ret	1_2_0053991A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00531A44 push ecx; ret	1_2_00531A42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00533330 push eax; ret	1_2_00533332
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00541CBC push eax; ret	1_2_00541CBD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00534D0B push ss; ret	1_2_00534D0F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00545DD3 push esi; ret	1_2_00545DDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00548EB3 push esp; ret	1_2_00548F3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00548EAC push esp; ret	1_2_00548F3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0053D770 push es; ret	1_2_0053D78B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_005317D1 push FFFFFFCFh; iretd	1_2_005317D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0053D79B push es; ret	1_2_0053D78B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032309AD push ecx; mov dword ptr [esp], ecx	1_2_032309B6
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045727FA pushad ; ret	5_2_045727F9
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0457225F pushad ; ret	5_2_045727F9
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_0457283D push eax; iretd	5_2_04572858
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_045A09AD push ecx; mov dword ptr [esp], ecx	5_2_045A09B6
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003BC0E2 push eax; iretd	5_2_003BC0E3
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003BC21F push ebx; ret	5_2_003BC220
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003A65E6 push ds; ret	5_2_003A65E7
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003AE989 push eax; ret	5_2_003AE98A
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003B2AA0 push esi; ret	5_2_003B2AAB
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003A19D8 push ss; ret	5_2_003A19DC
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003B5B79 push esp; ret	5_2_003B5C0B
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003B5B80 push esp; ret	5_2_003B5C0B
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003C3F10 push ds; iretd	5_2_003C3FA3
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043BB40F push edx; iretd	5_2_043BB44C
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043B451C push ds; iretd	5_2_043B451E
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043B973E push esi; retf	5_2_043B9744
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_043B51BC push E247E69Eh; iretd	5_2_043B51C7

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (132).png

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FA48D7
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_01025376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01025376

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FC3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00FC3187

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	API/Special instruction interceptor: Address: 15D3284
Source: C:\Windows\SysWOW64\TSTheme.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\TSTheme.exe	API/Special instruction interceptor: Address: 7FF84F7AD7E4
Source: C:\Windows\SysWOW64\TSTheme.exe	API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\TSTheme.exe	API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\TSTheme.exe	API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\TSTheme.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\TSTheme.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\TSTheme.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_032AD1C0 rdtsc

1_2_032AD1C0

Source: C:\Windows\SysWOW64\TSTheme.exe	Window / User API: threadDelayed 1915			Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Window / User API: threadDelayed 8058			Jump to behavior

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105228

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	API coverage: 5.1 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\TSTheme.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\TSTheme.exe TID: 3620	Thread sleep count: 1915 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe TID: 3620	Thread sleep time: -3830000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe TID: 3620	Thread sleep count: 8058 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe TID: 3620	Thread sleep time: -16116000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe TID: 1780	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\TSTheme.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\TSTheme.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0100445A
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0100C75C
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100C6D1 FindFirstFileW,FindClose,	0_2_0100C6D1
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0100EF95
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0100F0F2
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0100F3F3
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_010037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_010037EF
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_01003B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_01003B12
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_0100BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0100BCBC
Source: C:\Windows\SysWOW64\TSTheme.exe	Code function: 5_2_003BC800 FindFirstFileW,FindNextFileW,FindClose,	5_2_003BC800

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FA49A0

Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageVMware20,11696428655K
Source: 0d155000.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PasswordVMware20,1169642
Source: 0d155000.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 0d155000.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 0d155000.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 0d155000.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 0d155000.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: date_modifiedINTEGERrokers.comVMware20,1169642
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: blocklistVMware20,11696428655
Source: 0d155000.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 0d155000.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 0d155000.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rokers.comVMware20,1169642
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs.co.inVMware20,11696422
Source: 0d155000.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,s
Source: 0d155000.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 0d155000.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 0d155000.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 0d155000.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 0d155000.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Mevt3bFU1HpLudwL.exe, 00000006.00000002.2587481611.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.1991505107.000001EEC635C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 0d155000.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 0d155000.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 0d155000.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 0d155000.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: TSTheme.exe, 00000005.00000002.2586774749.0000000000736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: 0d155000.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs.comVMware20,116964286
Source: 0d155000.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 0d155000.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 0d155000.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 0d155000.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zure.comVMware20,1169642
Source: 0d155000.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: upageVMware20,11696428655K
Source: 0d155000.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 0d155000.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 0d155000.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 0d155000.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: TSTheme.exe, 00000005.00000002.2590356738.00000000076BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansaction PasswordVMware
Source: 0d155000.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 0d155000.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	API call chain: ExitProcess graph end node			graph_0-104344
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	API call chain: ExitProcess graph end node			graph_0-105334

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_032AD1C0 rdtsc

1_2_032AD1C0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00547B03 LdrLoadDll,

1_2_00547B03

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_01013F09 BlockInput,

0_2_01013F09

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FA3B3A

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FD5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00FD5A7C

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FA4B37 LoadLibraryA,GetProcAddress,

0_2_00FA4B37

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_015D3550 mov eax, dword ptr fs:[00000030h]	0_2_015D3550
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_015D34F0 mov eax, dword ptr fs:[00000030h]	0_2_015D34F0
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_015D1E70 mov eax, dword ptr fs:[00000030h]	0_2_015D1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F132D mov eax, dword ptr fs:[00000030h]	1_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F132D mov eax, dword ptr fs:[00000030h]	1_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325F32A mov eax, dword ptr fs:[00000030h]	1_2_0325F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03227330 mov eax, dword ptr fs:[00000030h]	1_2_03227330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B930B mov eax, dword ptr fs:[00000030h]	1_2_032B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B930B mov eax, dword ptr fs:[00000030h]	1_2_032B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B930B mov eax, dword ptr fs:[00000030h]	1_2_032B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C310 mov ecx, dword ptr fs:[00000030h]	1_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250310 mov ecx, dword ptr fs:[00000030h]	1_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EF367 mov eax, dword ptr fs:[00000030h]	1_2_032EF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D437C mov eax, dword ptr fs:[00000030h]	1_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03237370 mov eax, dword ptr fs:[00000030h]	1_2_03237370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03237370 mov eax, dword ptr fs:[00000030h]	1_2_03237370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03237370 mov eax, dword ptr fs:[00000030h]	1_2_03237370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322D34C mov eax, dword ptr fs:[00000030h]	1_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322D34C mov eax, dword ptr fs:[00000030h]	1_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03305341 mov eax, dword ptr fs:[00000030h]	1_2_03305341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229353 mov eax, dword ptr fs:[00000030h]	1_2_03229353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229353 mov eax, dword ptr fs:[00000030h]	1_2_03229353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov ecx, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FA352 mov eax, dword ptr fs:[00000030h]	1_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032533A5 mov eax, dword ptr fs:[00000030h]	1_2_032533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032633A0 mov eax, dword ptr fs:[00000030h]	1_2_032633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032633A0 mov eax, dword ptr fs:[00000030h]	1_2_032633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]	1_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]	1_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330539D mov eax, dword ptr fs:[00000030h]	1_2_0330539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0328739A mov eax, dword ptr fs:[00000030h]	1_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0328739A mov eax, dword ptr fs:[00000030h]	1_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EF3E6 mov eax, dword ptr fs:[00000030h]	1_2_032EF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033053FC mov eax, dword ptr fs:[00000030h]	1_2_033053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032663FF mov eax, dword ptr fs:[00000030h]	1_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC3CD mov eax, dword ptr fs:[00000030h]	1_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B63C0 mov eax, dword ptr fs:[00000030h]	1_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EB3D0 mov ecx, dword ptr fs:[00000030h]	1_2_032EB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03305227 mov eax, dword ptr fs:[00000030h]	1_2_03305227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322823B mov eax, dword ptr fs:[00000030h]	1_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03267208 mov eax, dword ptr fs:[00000030h]	1_2_03267208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03267208 mov eax, dword ptr fs:[00000030h]	1_2_03267208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FD26B mov eax, dword ptr fs:[00000030h]	1_2_032FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FD26B mov eax, dword ptr fs:[00000030h]	1_2_032FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322826B mov eax, dword ptr fs:[00000030h]	1_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03259274 mov eax, dword ptr fs:[00000030h]	1_2_03259274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03271270 mov eax, dword ptr fs:[00000030h]	1_2_03271270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03271270 mov eax, dword ptr fs:[00000030h]	1_2_03271270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229240 mov eax, dword ptr fs:[00000030h]	1_2_03229240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229240 mov eax, dword ptr fs:[00000030h]	1_2_03229240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B8243 mov eax, dword ptr fs:[00000030h]	1_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B8243 mov ecx, dword ptr fs:[00000030h]	1_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326724D mov eax, dword ptr fs:[00000030h]	1_2_0326724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A250 mov eax, dword ptr fs:[00000030h]	1_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EB256 mov eax, dword ptr fs:[00000030h]	1_2_032EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EB256 mov eax, dword ptr fs:[00000030h]	1_2_032EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236259 mov eax, dword ptr fs:[00000030h]	1_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BD250 mov ecx, dword ptr fs:[00000030h]	1_2_032BD250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]	1_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]	1_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032452A0 mov eax, dword ptr fs:[00000030h]	1_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032452A0 mov eax, dword ptr fs:[00000030h]	1_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032452A0 mov eax, dword ptr fs:[00000030h]	1_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032452A0 mov eax, dword ptr fs:[00000030h]	1_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F92A6 mov eax, dword ptr fs:[00000030h]	1_2_032F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F92A6 mov eax, dword ptr fs:[00000030h]	1_2_032F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F92A6 mov eax, dword ptr fs:[00000030h]	1_2_032F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F92A6 mov eax, dword ptr fs:[00000030h]	1_2_032F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C72A0 mov eax, dword ptr fs:[00000030h]	1_2_032C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C72A0 mov eax, dword ptr fs:[00000030h]	1_2_032C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B92BC mov eax, dword ptr fs:[00000030h]	1_2_032B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B92BC mov eax, dword ptr fs:[00000030h]	1_2_032B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B92BC mov ecx, dword ptr fs:[00000030h]	1_2_032B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B92BC mov ecx, dword ptr fs:[00000030h]	1_2_032B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]	1_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]	1_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03305283 mov eax, dword ptr fs:[00000030h]	1_2_03305283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326329E mov eax, dword ptr fs:[00000030h]	1_2_0326329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326329E mov eax, dword ptr fs:[00000030h]	1_2_0326329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED mov eax, dword ptr fs:[00000030h]	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033052E2 mov eax, dword ptr fs:[00000030h]	1_2_033052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EF2F8 mov eax, dword ptr fs:[00000030h]	1_2_032EF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032292FF mov eax, dword ptr fs:[00000030h]	1_2_032292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032392C5 mov eax, dword ptr fs:[00000030h]	1_2_032392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032392C5 mov eax, dword ptr fs:[00000030h]	1_2_032392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0322B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0322B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0322B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325F2D0 mov eax, dword ptr fs:[00000030h]	1_2_0325F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325F2D0 mov eax, dword ptr fs:[00000030h]	1_2_0325F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260124 mov eax, dword ptr fs:[00000030h]	1_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03231131 mov eax, dword ptr fs:[00000030h]	1_2_03231131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03231131 mov eax, dword ptr fs:[00000030h]	1_2_03231131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B136 mov eax, dword ptr fs:[00000030h]	1_2_0322B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B136 mov eax, dword ptr fs:[00000030h]	1_2_0322B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B136 mov eax, dword ptr fs:[00000030h]	1_2_0322B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B136 mov eax, dword ptr fs:[00000030h]	1_2_0322B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov ecx, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F0115 mov eax, dword ptr fs:[00000030h]	1_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172 mov eax, dword ptr fs:[00000030h]	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C9179 mov eax, dword ptr fs:[00000030h]	1_2_032C9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03305152 mov eax, dword ptr fs:[00000030h]	1_2_03305152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov ecx, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229148 mov eax, dword ptr fs:[00000030h]	1_2_03229148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229148 mov eax, dword ptr fs:[00000030h]	1_2_03229148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229148 mov eax, dword ptr fs:[00000030h]	1_2_03229148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229148 mov eax, dword ptr fs:[00000030h]	1_2_03229148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C3140 mov eax, dword ptr fs:[00000030h]	1_2_032C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C3140 mov eax, dword ptr fs:[00000030h]	1_2_032C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C3140 mov eax, dword ptr fs:[00000030h]	1_2_032C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03237152 mov eax, dword ptr fs:[00000030h]	1_2_03237152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C156 mov eax, dword ptr fs:[00000030h]	1_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C8158 mov eax, dword ptr fs:[00000030h]	1_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]	1_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]	1_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E11A4 mov eax, dword ptr fs:[00000030h]	1_2_032E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E11A4 mov eax, dword ptr fs:[00000030h]	1_2_032E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E11A4 mov eax, dword ptr fs:[00000030h]	1_2_032E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E11A4 mov eax, dword ptr fs:[00000030h]	1_2_032E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324B1B0 mov eax, dword ptr fs:[00000030h]	1_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03270185 mov eax, dword ptr fs:[00000030h]	1_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]	1_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]	1_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03287190 mov eax, dword ptr fs:[00000030h]	1_2_03287190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032551EF mov eax, dword ptr fs:[00000030h]	1_2_032551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032351ED mov eax, dword ptr fs:[00000030h]	1_2_032351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D71F9 mov esi, dword ptr fs:[00000030h]	1_2_032D71F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033061E5 mov eax, dword ptr fs:[00000030h]	1_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032601F8 mov eax, dword ptr fs:[00000030h]	1_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]	1_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]	1_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326D1D0 mov eax, dword ptr fs:[00000030h]	1_2_0326D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326D1D0 mov ecx, dword ptr fs:[00000030h]	1_2_0326D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033051CB mov eax, dword ptr fs:[00000030h]	1_2_033051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A020 mov eax, dword ptr fs:[00000030h]	1_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C020 mov eax, dword ptr fs:[00000030h]	1_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F903E mov eax, dword ptr fs:[00000030h]	1_2_032F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F903E mov eax, dword ptr fs:[00000030h]	1_2_032F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F903E mov eax, dword ptr fs:[00000030h]	1_2_032F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F903E mov eax, dword ptr fs:[00000030h]	1_2_032F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6030 mov eax, dword ptr fs:[00000030h]	1_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4000 mov ecx, dword ptr fs:[00000030h]	1_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B106E mov eax, dword ptr fs:[00000030h]	1_2_032B106E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03305060 mov eax, dword ptr fs:[00000030h]	1_2_03305060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov ecx, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241070 mov eax, dword ptr fs:[00000030h]	1_2_03241070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325C073 mov eax, dword ptr fs:[00000030h]	1_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AD070 mov ecx, dword ptr fs:[00000030h]	1_2_032AD070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232050 mov eax, dword ptr fs:[00000030h]	1_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D705E mov ebx, dword ptr fs:[00000030h]	1_2_032D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D705E mov eax, dword ptr fs:[00000030h]	1_2_032D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B052 mov eax, dword ptr fs:[00000030h]	1_2_0325B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6050 mov eax, dword ptr fs:[00000030h]	1_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C80A8 mov eax, dword ptr fs:[00000030h]	1_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F60B8 mov eax, dword ptr fs:[00000030h]	1_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323208A mov eax, dword ptr fs:[00000030h]	1_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BD080 mov eax, dword ptr fs:[00000030h]	1_2_032BD080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BD080 mov eax, dword ptr fs:[00000030h]	1_2_032BD080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322D08D mov eax, dword ptr fs:[00000030h]	1_2_0322D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03235096 mov eax, dword ptr fs:[00000030h]	1_2_03235096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325D090 mov eax, dword ptr fs:[00000030h]	1_2_0325D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325D090 mov eax, dword ptr fs:[00000030h]	1_2_0325D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326909C mov eax, dword ptr fs:[00000030h]	1_2_0326909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032550E4 mov eax, dword ptr fs:[00000030h]	1_2_032550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032550E4 mov ecx, dword ptr fs:[00000030h]	1_2_032550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032380E9 mov eax, dword ptr fs:[00000030h]	1_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B60E0 mov eax, dword ptr fs:[00000030h]	1_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032720F0 mov ecx, dword ptr fs:[00000030h]	1_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov ecx, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov ecx, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov ecx, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov ecx, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0 mov eax, dword ptr fs:[00000030h]	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033050D9 mov eax, dword ptr fs:[00000030h]	1_2_033050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AD0C0 mov eax, dword ptr fs:[00000030h]	1_2_032AD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AD0C0 mov eax, dword ptr fs:[00000030h]	1_2_032AD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B20DE mov eax, dword ptr fs:[00000030h]	1_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032590DB mov eax, dword ptr fs:[00000030h]	1_2_032590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EF72E mov eax, dword ptr fs:[00000030h]	1_2_032EF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03233720 mov eax, dword ptr fs:[00000030h]	1_2_03233720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324F720 mov eax, dword ptr fs:[00000030h]	1_2_0324F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324F720 mov eax, dword ptr fs:[00000030h]	1_2_0324F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324F720 mov eax, dword ptr fs:[00000030h]	1_2_0324F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F972B mov eax, dword ptr fs:[00000030h]	1_2_032F972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]	1_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]	1_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330B73C mov eax, dword ptr fs:[00000030h]	1_2_0330B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330B73C mov eax, dword ptr fs:[00000030h]	1_2_0330B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330B73C mov eax, dword ptr fs:[00000030h]	1_2_0330B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330B73C mov eax, dword ptr fs:[00000030h]	1_2_0330B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229730 mov eax, dword ptr fs:[00000030h]	1_2_03229730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03229730 mov eax, dword ptr fs:[00000030h]	1_2_03229730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03265734 mov eax, dword ptr fs:[00000030h]	1_2_03265734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323973A mov eax, dword ptr fs:[00000030h]	1_2_0323973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323973A mov eax, dword ptr fs:[00000030h]	1_2_0323973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov ecx, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AC730 mov eax, dword ptr fs:[00000030h]	1_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03237703 mov eax, dword ptr fs:[00000030h]	1_2_03237703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03235702 mov eax, dword ptr fs:[00000030h]	1_2_03235702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03235702 mov eax, dword ptr fs:[00000030h]	1_2_03235702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C700 mov eax, dword ptr fs:[00000030h]	1_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230710 mov eax, dword ptr fs:[00000030h]	1_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260710 mov eax, dword ptr fs:[00000030h]	1_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326F71F mov eax, dword ptr fs:[00000030h]	1_2_0326F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326F71F mov eax, dword ptr fs:[00000030h]	1_2_0326F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B765 mov eax, dword ptr fs:[00000030h]	1_2_0322B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B765 mov eax, dword ptr fs:[00000030h]	1_2_0322B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B765 mov eax, dword ptr fs:[00000030h]	1_2_0322B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322B765 mov eax, dword ptr fs:[00000030h]	1_2_0322B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238770 mov eax, dword ptr fs:[00000030h]	1_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03243740 mov eax, dword ptr fs:[00000030h]	1_2_03243740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03243740 mov eax, dword ptr fs:[00000030h]	1_2_03243740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03243740 mov eax, dword ptr fs:[00000030h]	1_2_03243740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov esi, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230750 mov eax, dword ptr fs:[00000030h]	1_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE75D mov eax, dword ptr fs:[00000030h]	1_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]	1_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]	1_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03303749 mov eax, dword ptr fs:[00000030h]	1_2_03303749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4755 mov eax, dword ptr fs:[00000030h]	1_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B97A9 mov eax, dword ptr fs:[00000030h]	1_2_032B97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BF7AF mov eax, dword ptr fs:[00000030h]	1_2_032BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BF7AF mov eax, dword ptr fs:[00000030h]	1_2_032BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BF7AF mov eax, dword ptr fs:[00000030h]	1_2_032BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BF7AF mov eax, dword ptr fs:[00000030h]	1_2_032BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BF7AF mov eax, dword ptr fs:[00000030h]	1_2_032BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033037B6 mov eax, dword ptr fs:[00000030h]	1_2_033037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032307AF mov eax, dword ptr fs:[00000030h]	1_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325D7B0 mov eax, dword ptr fs:[00000030h]	1_2_0325D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F7BA mov eax, dword ptr fs:[00000030h]	1_2_0322F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EF78A mov eax, dword ptr fs:[00000030h]	1_2_032EF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323D7E0 mov ecx, dword ptr fs:[00000030h]	1_2_0323D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]	1_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]	1_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032357C0 mov eax, dword ptr fs:[00000030h]	1_2_032357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032357C0 mov eax, dword ptr fs:[00000030h]	1_2_032357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032357C0 mov eax, dword ptr fs:[00000030h]	1_2_032357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B07C3 mov eax, dword ptr fs:[00000030h]	1_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E627 mov eax, dword ptr fs:[00000030h]	1_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F626 mov eax, dword ptr fs:[00000030h]	1_2_0322F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03266620 mov eax, dword ptr fs:[00000030h]	1_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03305636 mov eax, dword ptr fs:[00000030h]	1_2_03305636
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268620 mov eax, dword ptr fs:[00000030h]	1_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323262C mov eax, dword ptr fs:[00000030h]	1_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03261607 mov eax, dword ptr fs:[00000030h]	1_2_03261607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE609 mov eax, dword ptr fs:[00000030h]	1_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326F603 mov eax, dword ptr fs:[00000030h]	1_2_0326F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03233616 mov eax, dword ptr fs:[00000030h]	1_2_03233616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03233616 mov eax, dword ptr fs:[00000030h]	1_2_03233616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272619 mov eax, dword ptr fs:[00000030h]	1_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]	1_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]	1_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]	1_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]	1_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03269660 mov eax, dword ptr fs:[00000030h]	1_2_03269660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03269660 mov eax, dword ptr fs:[00000030h]	1_2_03269660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032CD660 mov eax, dword ptr fs:[00000030h]	1_2_032CD660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03262674 mov eax, dword ptr fs:[00000030h]	1_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324C640 mov eax, dword ptr fs:[00000030h]	1_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322D6AA mov eax, dword ptr fs:[00000030h]	1_2_0322D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322D6AA mov eax, dword ptr fs:[00000030h]	1_2_0322D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032276B2 mov eax, dword ptr fs:[00000030h]	1_2_032276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032276B2 mov eax, dword ptr fs:[00000030h]	1_2_032276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032276B2 mov eax, dword ptr fs:[00000030h]	1_2_032276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032666B0 mov eax, dword ptr fs:[00000030h]	1_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B368C mov eax, dword ptr fs:[00000030h]	1_2_032B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B368C mov eax, dword ptr fs:[00000030h]	1_2_032B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B368C mov eax, dword ptr fs:[00000030h]	1_2_032B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B368C mov eax, dword ptr fs:[00000030h]	1_2_032B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]	1_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]	1_2_03234690

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FF80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00FF80A9

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FCA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00FCA155
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_00FCA124 SetUnhandledExceptionFilter,		0_2_00FCA124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtQuerySystemInformation: Direct from: 0x772748CC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtQueryVolumeInformationFile: Direct from: 0x77272F2C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtOpenSection: Direct from: 0x77272E0C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtClose: Direct from: 0x77272B6C
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtReadVirtualMemory: Direct from: 0x77272E8C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtCreateKey: Direct from: 0x77272C6C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtSetInformationThread: Direct from: 0x77272B4C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtQueryAttributesFile: Direct from: 0x77272E6C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtAllocateVirtualMemory: Direct from: 0x772748EC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtQueryInformationToken: Direct from: 0x77272CAC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtTerminateThread: Direct from: 0x77272FCC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtOpenKeyEx: Direct from: 0x77272B9C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtDeviceIoControlFile: Direct from: 0x77272AEC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtAllocateVirtualMemory: Direct from: 0x77272BEC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtProtectVirtualMemory: Direct from: 0x77267B2E	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtCreateFile: Direct from: 0x77272FEC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtOpenFile: Direct from: 0x77272DCC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtWriteVirtualMemory: Direct from: 0x77272E3C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtMapViewOfSection: Direct from: 0x77272D1C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtResumeThread: Direct from: 0x772736AC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtProtectVirtualMemory: Direct from: 0x77272F9C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtSetInformationProcess: Direct from: 0x77272C5C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtNotifyChangeKey: Direct from: 0x77273C2C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtCreateMutant: Direct from: 0x772735CC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtSetInformationThread: Direct from: 0x772663F9	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtQueryInformationProcess: Direct from: 0x77272C26	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtResumeThread: Direct from: 0x77272FBC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtCreateUserProcess: Direct from: 0x7727371C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtWriteVirtualMemory: Direct from: 0x7727490C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtAllocateVirtualMemory: Direct from: 0x77273C9C	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtAllocateVirtualMemory: Direct from: 0x77272BFC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtReadFile: Direct from: 0x77272ADC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtQuerySystemInformation: Direct from: 0x77272DFC	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	NtDelayExecution: Direct from: 0x77272DDC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\TSTheme.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: NULL target: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: NULL target: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\TSTheme.exe

Thread register set: target process: 2052

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\TSTheme.exe

Thread APC queued: target process: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2905008

Jump to behavior

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FF87B1 LogonUserW,

0_2_00FF87B1

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FA3B3A

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00FA48D7

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_01004C27 mouse_event,

0_2_01004C27

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\iJIXzyHnSe.exe"	Jump to behavior
Source: C:\Program Files (x86)\xNHhtGBnZfLNOesumZqoiiakWVbYYoxjSHfKxxvxClP\Mevt3bFU1HpLudwL.exe	Process created: C:\Windows\SysWOW64\TSTheme.exe "C:\Windows\SysWOW64\TSTheme.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00FF7CAF

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FF874B

Source: iJIXzyHnSe.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Mevt3bFU1HpLudwL.exe, 00000004.00000000.1600985131.0000000001351000.00000002.00000001.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587517332.0000000001351000.00000002.00000001.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000000.1761664218.0000000001821000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: iJIXzyHnSe.exe, Mevt3bFU1HpLudwL.exe, 00000004.00000000.1600985131.0000000001351000.00000002.00000001.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587517332.0000000001351000.00000002.00000001.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000000.1761664218.0000000001821000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Mevt3bFU1HpLudwL.exe, 00000004.00000000.1600985131.0000000001351000.00000002.00000001.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587517332.0000000001351000.00000002.00000001.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000000.1761664218.0000000001821000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Mevt3bFU1HpLudwL.exe, 00000004.00000000.1600985131.0000000001351000.00000002.00000001.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000004.00000002.2587517332.0000000001351000.00000002.00000001.00040000.00000000.sdmp, Mevt3bFU1HpLudwL.exe, 00000006.00000000.1761664218.0000000001821000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FC862B cpuid

0_2_00FC862B

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FD4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FD4E87

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FE1E06 GetUserNameW,

0_2_00FE1E06

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FD3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FD3F3A

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe

Code function: 0_2_00FA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FA49A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2586607235.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1687606266.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2587633292.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2587704648.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2587850827.0000000005B60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2587769464.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1688517873.0000000006750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\TSTheme.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\TSTheme.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\TSTheme.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: iJIXzyHnSe.exe	Binary or memory string: WIN_81
Source: iJIXzyHnSe.exe	Binary or memory string: WIN_XP
Source: iJIXzyHnSe.exe	Binary or memory string: WIN_XPe
Source: iJIXzyHnSe.exe	Binary or memory string: WIN_VISTA
Source: iJIXzyHnSe.exe	Binary or memory string: WIN_7
Source: iJIXzyHnSe.exe	Binary or memory string: WIN_8
Source: iJIXzyHnSe.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2586607235.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1687606266.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2587633292.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2587704648.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2587850827.0000000005B60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2587769464.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1688517873.0000000006750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_01016283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_01016283
Source: C:\Users\user\Desktop\iJIXzyHnSe.exe	Code function: 0_2_01016747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01016747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	1 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iJIXzyHnSe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
iJIXzyHnSe.exe