Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EEcYuuRdFy.exe

Overview

General Information

Sample name:EEcYuuRdFy.exe
renamed because original name is a hash value
Original sample name:608d3dbd8840204913065e68aeb1efff20f2b22e6d703a1aef37e92a7471bdc3.exe
Analysis ID:1634841
MD5:6a4bd321e9daddbee0c71d73d2d0038e
SHA1:136d62154bc485c5398c9fcb62e90ae66d39f976
SHA256:608d3dbd8840204913065e68aeb1efff20f2b22e6d703a1aef37e92a7471bdc3
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EEcYuuRdFy.exe (PID: 5816 cmdline: "C:\Users\user\Desktop\EEcYuuRdFy.exe" MD5: 6A4BD321E9DADDBEE0C71D73D2D0038E)
    • svchost.exe (PID: 5364 cmdline: "C:\Users\user\Desktop\EEcYuuRdFy.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • msdt.exe (PID: 372 cmdline: "C:\Windows\SysWOW64\msdt.exe" MD5: BAA4458E429E7C906560FE4541ADFCFB)
          • cmd.exe (PID: 1340 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.7b5846.online/hwu6/"], "decoy": ["lf758.vip", "locerin-hair.shop", "vytech.net", "pet-insurance-intl-7990489.live", "thepolithat.buzz", "d66dr114gl.bond", "suv-deals-49508.bond", "job-offer-53922.bond", "drstone1.click", "lebahsemesta57.click", "olmanihousel.shop", "piedmontcsb.info", "trisula888x.top", "66sodovna.net", "dental-implants-83810.bond", "imxtld.club", "frozenpines.net", "ffgzgbl.xyz", "tlc7z.rest", "alexismuller.design", "6vay.boats", "moocatinght.top", "hafwje.bond", "edmaker.online", "simo1simo001.click", "vbsdconsultant.click", "ux-design-courses-53497.bond", "victory88-pay.xyz", "suarahati7.xyz", "otzen.info", "hair-transplantation-65829.bond", "gequiltdesins.shop", "inefity.cloud", "jeeinsight.online", "86339.xyz", "stairr-lift-find.today", "wdgb20.top", "91uvq.pro", "energyecosystem.app", "8e5lr5i9zu.buzz", "migraine-treatment-36101.bond", "eternityzon.shop", "43mjqdyetv.sbs", "healthcare-software-74448.bond", "bethlark.top", "dangdut4dselalu.pro", "04506.club", "rider.vision", "health-insurance-cake.world", "apoppynote.com", "11817e.com", "hiefmotelkeokuk.top", "sugatoken.xyz", "aragamand.business", "alifewithoutlimits.info", "vibrantsoul.xyz", "olarpanels-outlet.info", "ozzd86fih4.online", "skbdicat.xyz", "cloggedpipes.net", "ilsgroup.net", "ptcnl.info", "backstretch.store", "maheshg.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.EEcYuuRdFy.exe.1270000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.EEcYuuRdFy.exe.1270000.1.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.2.EEcYuuRdFy.exe.1270000.1.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          0.2.EEcYuuRdFy.exe.1270000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.EEcYuuRdFy.exe.1270000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 10 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\EEcYuuRdFy.exe", CommandLine: "C:\Users\user\Desktop\EEcYuuRdFy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\EEcYuuRdFy.exe", ParentImage: C:\Users\user\Desktop\EEcYuuRdFy.exe, ParentProcessId: 5816, ParentProcessName: EEcYuuRdFy.exe, ProcessCommandLine: "C:\Users\user\Desktop\EEcYuuRdFy.exe", ProcessId: 5364, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\EEcYuuRdFy.exe", CommandLine: "C:\Users\user\Desktop\EEcYuuRdFy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\EEcYuuRdFy.exe", ParentImage: C:\Users\user\Desktop\EEcYuuRdFy.exe, ParentProcessId: 5816, ParentProcessName: EEcYuuRdFy.exe, ProcessCommandLine: "C:\Users\user\Desktop\EEcYuuRdFy.exe", ProcessId: 5364, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-11T05:34:19.519735+010020314531Malware Command and Control Activity Detected192.168.2.849689104.16.12.19480TCP
          2025-03-11T05:35:41.177379+010020314531Malware Command and Control Activity Detected192.168.2.849694104.21.80.15680TCP
          2025-03-11T05:36:44.115418+010020314531Malware Command and Control Activity Detected192.168.2.849695188.114.96.380TCP
          2025-03-11T05:37:46.550998+010020314531Malware Command and Control Activity Detected192.168.2.849699104.18.187.22380TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: EEcYuuRdFy.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://www.inefity.cloud/hwu6/Avira URL Cloud: Label: malware
          Source: http://www.skbdicat.xyz/hwu6/www.pet-insurance-intl-7990489.liveAvira URL Cloud: Label: malware
          Source: http://www.skbdicat.xyz/hwu6/Avira URL Cloud: Label: malware
          Source: http://www.inefity.cloud/hwu6/1kvmAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.7b5846.online/hwu6/"], "decoy": ["lf758.vip", "locerin-hair.shop", "vytech.net", "pet-insurance-intl-7990489.live", "thepolithat.buzz", "d66dr114gl.bond", "suv-deals-49508.bond", "job-offer-53922.bond", "drstone1.click", "lebahsemesta57.click", "olmanihousel.shop", "piedmontcsb.info", "trisula888x.top", "66sodovna.net", "dental-implants-83810.bond", "imxtld.club", "frozenpines.net", "ffgzgbl.xyz", "tlc7z.rest", "alexismuller.design", "6vay.boats", "moocatinght.top", "hafwje.bond", "edmaker.online", "simo1simo001.click", "vbsdconsultant.click", "ux-design-courses-53497.bond", "victory88-pay.xyz", "suarahati7.xyz", "otzen.info", "hair-transplantation-65829.bond", "gequiltdesins.shop", "inefity.cloud", "jeeinsight.online", "86339.xyz", "stairr-lift-find.today", "wdgb20.top", "91uvq.pro", "energyecosystem.app", "8e5lr5i9zu.buzz", "migraine-treatment-36101.bond", "eternityzon.shop", "43mjqdyetv.sbs", "healthcare-software-74448.bond", "bethlark.top", "dangdut4dselalu.pro", "04506.club", "rider.vision", "health-insurance-cake.world", "apoppynote.com", "11817e.com", "hiefmotelkeokuk.top", "sugatoken.xyz", "aragamand.business", "alifewithoutlimits.info", "vibrantsoul.xyz", "olarpanels-outlet.info", "ozzd86fih4.online", "skbdicat.xyz", "cloggedpipes.net", "ilsgroup.net", "ptcnl.info", "backstretch.store", "maheshg.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: EEcYuuRdFy.exeReversingLabs: Detection: 71%
          Source: EEcYuuRdFy.exeVirustotal: Detection: 76%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A4AFB8 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext,4_2_00A4AFB8
          Source: EEcYuuRdFy.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: msdt.pdbGCTL source: svchost.exe, 00000002.00000003.914282737.000000000081B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.914282737.000000000087B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.914606299.000000000087B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915606576.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.3307393259.0000000000A10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: EEcYuuRdFy.exe, 00000000.00000003.856044494.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, EEcYuuRdFy.exe, 00000000.00000003.858618222.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915692119.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915692119.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.861398335.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.859381241.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.915315031.0000000004744000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3310130731.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.917480630.000000000490C000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3310130731.0000000004C5E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: EEcYuuRdFy.exe, 00000000.00000003.856044494.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, EEcYuuRdFy.exe, 00000000.00000003.858618222.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.915692119.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915692119.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.861398335.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.859381241.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000004.00000003.915315031.0000000004744000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3310130731.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.917480630.000000000490C000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3310130731.0000000004C5E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3322276434.000000001031F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.3308558483.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3311175907.000000000500F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3322276434.000000001031F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.3308558483.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3311175907.000000000500F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: msdt.pdb source: svchost.exe, 00000002.00000003.914282737.000000000081B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.914282737.000000000087B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.914606299.000000000087B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915606576.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000004.00000002.3307393259.0000000000A10000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AE445A
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEC6D1 FindFirstFileW,FindClose,0_2_00AEC6D1
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00AEC75C
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AEEF95
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AEF0F2
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AEF3F3
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AE37EF
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AE3B12
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AEBCBC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A560A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00A560A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A4602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,4_2_00A4602D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A41B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,4_2_00A41B92
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A44CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,4_2_00A44CB6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A45C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00A45C20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A5743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00A5743A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A44EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,4_2_00A44EDC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi2_2_00347D7F

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49695 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49699 -> 104.18.187.223:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49699 -> 104.18.187.223:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49695 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49699 -> 104.18.187.223:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49695 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49694 -> 104.21.80.156:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49694 -> 104.21.80.156:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49694 -> 104.21.80.156:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49689 -> 104.16.12.194:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49689 -> 104.16.12.194:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49689 -> 104.16.12.194:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 104.16.12.194 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.7b5846.online/hwu6/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.sugatoken.xyz
          Source: DNS query: www.ffgzgbl.xyz
          Source: DNS query: www.skbdicat.xyz
          Source: global trafficHTTP traffic detected: GET /hwu6/?SxolPV=KgT1xarCWirw9ut1UatlZF9HiMfYn4dE2r3KmEKw+d6bBqnsxPDSqa42A0XWIosgw+vL&QL0=uTvL3DyhkT-dDd HTTP/1.1Host: www.alifewithoutlimits.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hwu6/?SxolPV=+zwICv/sB1e6MtWwpRel8f5Q0bYKICZzsoJO8W/+cdiLpY7N+AEBhZIv3gPNLiTeSWc7&QL0=uTvL3DyhkT-dDd HTTP/1.1Host: www.gequiltdesins.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 104.16.12.194 104.16.12.194
          Source: Joe Sandbox ViewIP Address: 104.16.12.194 104.16.12.194
          Source: Joe Sandbox ViewIP Address: 204.79.197.203 204.79.197.203
          Source: Joe Sandbox ViewIP Address: 204.79.197.203 204.79.197.203
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AF22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00AF22EE
          Source: global trafficHTTP traffic detected: GET /hwu6/?SxolPV=KgT1xarCWirw9ut1UatlZF9HiMfYn4dE2r3KmEKw+d6bBqnsxPDSqa42A0XWIosgw+vL&QL0=uTvL3DyhkT-dDd HTTP/1.1Host: www.alifewithoutlimits.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hwu6/?SxolPV=+zwICv/sB1e6MtWwpRel8f5Q0bYKICZzsoJO8W/+cdiLpY7N+AEBhZIv3gPNLiTeSWc7&QL0=uTvL3DyhkT-dDd HTTP/1.1Host: www.gequiltdesins.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.alifewithoutlimits.info
          Source: global trafficDNS traffic detected: DNS query: www.d66dr114gl.bond
          Source: global trafficDNS traffic detected: DNS query: www.sugatoken.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ffgzgbl.xyz
          Source: global trafficDNS traffic detected: DNS query: www.gequiltdesins.shop
          Source: global trafficDNS traffic detected: DNS query: www.backstretch.store
          Source: global trafficDNS traffic detected: DNS query: www.stairr-lift-find.today
          Source: global trafficDNS traffic detected: DNS query: www.ux-design-courses-53497.bond
          Source: global trafficDNS traffic detected: DNS query: www.skbdicat.xyz
          Source: global trafficDNS traffic detected: DNS query: www.pet-insurance-intl-7990489.live
          Source: global trafficDNS traffic detected: DNS query: www.olarpanels-outlet.info
          Source: explorer.exe, 00000003.00000003.2645693869.0000000007497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.873724317.000000000974B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2645009850.0000000007496000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.869152167.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3314458356.0000000007498000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
          Source: explorer.exe, 00000003.00000003.2645693869.0000000007497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.873724317.000000000974B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2645009850.0000000007496000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.869152167.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3314458356.0000000007498000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000003.2645693869.0000000007497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.873724317.000000000974B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2645009850.0000000007496000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.869152167.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3314458356.0000000007498000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000002.3316598131.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.873724317.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2642639060.000000000C441000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321232132.000000000C444000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000003.00000002.3315536614.0000000008680000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3314882089.0000000007940000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.873398440.00000000086A0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.7b5846.online
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.7b5846.online/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.7b5846.online/hwu6/www.bethlark.top
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.7b5846.onlineReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alifewithoutlimits.info
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alifewithoutlimits.info/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alifewithoutlimits.info/hwu6/www.d66dr114gl.bond
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alifewithoutlimits.infoReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.backstretch.store
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.backstretch.store/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.backstretch.store/hwu6/www.vibrantsoul.xyz
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.backstretch.storeReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bethlark.top
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bethlark.top/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bethlark.top/hwu6/www.migraine-treatment-36101.bond
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bethlark.topReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.d66dr114gl.bond
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.d66dr114gl.bond/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.d66dr114gl.bond/hwu6/www.sugatoken.xyz
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.d66dr114gl.bondReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffgzgbl.xyz
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffgzgbl.xyz/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffgzgbl.xyz/hwu6/www.gequiltdesins.shop
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffgzgbl.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gequiltdesins.shop
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gequiltdesins.shop/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gequiltdesins.shop/hwu6/www.backstretch.store
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gequiltdesins.shopReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inefity.cloud
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inefity.cloud/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inefity.cloud/hwu6/1kvm
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inefity.cloudReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.migraine-treatment-36101.bond
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.migraine-treatment-36101.bond/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.migraine-treatment-36101.bond/hwu6/www.inefity.cloud
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.migraine-treatment-36101.bondReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olarpanels-outlet.info
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olarpanels-outlet.info/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olarpanels-outlet.info/hwu6/www.7b5846.online
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olarpanels-outlet.infoReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pet-insurance-intl-7990489.live
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pet-insurance-intl-7990489.live/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pet-insurance-intl-7990489.live/hwu6/www.olarpanels-outlet.info
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pet-insurance-intl-7990489.liveReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.skbdicat.xyz
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.skbdicat.xyz/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.skbdicat.xyz/hwu6/www.pet-insurance-intl-7990489.live
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.skbdicat.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stairr-lift-find.today
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stairr-lift-find.today/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stairr-lift-find.today/hwu6/www.ux-design-courses-53497.bond
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.stairr-lift-find.todayReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sugatoken.xyz
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sugatoken.xyz/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sugatoken.xyz/hwu6/www.ffgzgbl.xyz
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sugatoken.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ux-design-courses-53497.bond
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ux-design-courses-53497.bond/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ux-design-courses-53497.bond/hwu6/www.skbdicat.xyz
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ux-design-courses-53497.bondReferer:
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vibrantsoul.xyz
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vibrantsoul.xyz/hwu6/
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vibrantsoul.xyz/hwu6/www.stairr-lift-find.today
          Source: explorer.exe, 00000003.00000003.2640490029.000000000C433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3321199872.000000000C439000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vibrantsoul.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2643662573.000000000C22E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.876215873.000000000C22E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3320780396.000000000C22E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppxv
          Source: explorer.exe, 00000003.00000000.876215873.000000000C22E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000000.876215873.000000000C22E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSSr
          Source: explorer.exe, 00000003.00000000.873724317.00000000095B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316598131.00000000095B2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000002.3316598131.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.873724317.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000003.00000002.3316598131.00000000096C4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.873724317.00000000096C4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
          Source: explorer.exe, 00000003.00000003.2638401511.0000000009741000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: explorer.exe, 00000003.00000000.876215873.000000000C1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3320295971.000000000C1B6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
          Source: explorer.exe, 00000003.00000000.876215873.000000000C1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3320295971.000000000C1B6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000000.876215873.000000000C1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3320295971.000000000C1B6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comw
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000002.3320295971.000000000C187000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.876215873.000000000C187000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/D
          Source: explorer.exe, 00000003.00000000.876215873.000000000C1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3320295971.000000000C1B6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
          Source: explorer.exe, 00000003.00000002.3313702558.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00AF4164
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00AF4164
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A42361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,4_2_00A42361
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AF3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AF3F66
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00AE001C
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00B0CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B0CABC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: EEcYuuRdFy.exe PID: 5816, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: msdt.exe PID: 372, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: This is a third-party compiled AutoIt script.0_2_00A83B3A
          Source: EEcYuuRdFy.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: EEcYuuRdFy.exe, 00000000.00000000.844939543.0000000000B34000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_10f59e52-d
          Source: EEcYuuRdFy.exe, 00000000.00000000.844939543.0000000000B34000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_292eacf7-b
          Source: EEcYuuRdFy.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8b75b84f-7
          Source: EEcYuuRdFy.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_cc51ab13-1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AD0 NtReadFile,LdrInitializeThunk,2_2_02F72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_02F72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B60 NtClose,LdrInitializeThunk,2_2_02F72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_02F72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_02F72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FE0 NtCreateFile,LdrInitializeThunk,2_2_02F72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FB0 NtResumeThread,LdrInitializeThunk,2_2_02F72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_02F72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F30 NtCreateSection,LdrInitializeThunk,2_2_02F72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_02F72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_02F72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DD0 NtDelayExecution,LdrInitializeThunk,2_2_02F72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_02F72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D10 NtMapViewOfSection,LdrInitializeThunk,2_2_02F72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74340 NtSetContextThread,2_2_02F74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74650 NtSuspendThread,2_2_02F74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AF0 NtWriteFile,2_2_02F72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AB0 NtWaitForSingleObject,2_2_02F72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BE0 NtQueryValueKey,2_2_02F72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BA0 NtEnumerateValueKey,2_2_02F72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B80 NtQueryInformationFile,2_2_02F72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EE0 NtQueueApcThread,2_2_02F72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E30 NtWriteVirtualMemory,2_2_02F72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FA0 NtQuerySection,2_2_02F72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F60 NtCreateProcessEx,2_2_02F72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CF0 NtOpenProcess,2_2_02F72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CC0 NtQueryVirtualMemory,2_2_02F72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C70 NtFreeVirtualMemory,2_2_02F72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C60 NtCreateKey,2_2_02F72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C00 NtQueryInformationProcess,2_2_02F72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DB0 NtEnumerateKey,2_2_02F72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D00 NtSetInformationFile,2_2_02F72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73090 NtSetValueKey,2_2_02F73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73010 NtOpenDirectoryObject,2_2_02F73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F735C0 NtCreateMutant,2_2_02F735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F739B0 NtGetContextThread,2_2_02F739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D70 NtOpenThread,2_2_02F73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D10 NtOpenProcessToken,2_2_02F73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A330 NtCreateFile,2_2_0034A330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A3E0 NtReadFile,2_2_0034A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A460 NtClose,2_2_0034A460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A510 NtAllocateVirtualMemory,2_2_0034A510
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A32C NtCreateFile,2_2_0034A32C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A383 NtCreateFile,2_2_0034A383
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A45A NtClose,2_2_0034A45A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A50A NtAllocateVirtualMemory,2_2_0034A50A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A58C NtAllocateVirtualMemory,2_2_0034A58C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034A58A NtAllocateVirtualMemory,2_2_0034A58A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,2_2_02DEA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEA042 NtQueryInformationProcess,2_2_02DEA042
          Source: C:\Windows\explorer.exeCode function: 3_2_0B445E12 NtProtectVirtualMemory,3_2_0B445E12
          Source: C:\Windows\explorer.exeCode function: 3_2_0B444232 NtCreateFile,3_2_0B444232
          Source: C:\Windows\explorer.exeCode function: 3_2_0B445E0A NtProtectVirtualMemory,3_2_0B445E0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A51CBD NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose,4_2_00A51CBD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A51C50 NtQueryInformationToken,NtQueryInformationToken,4_2_00A51C50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04B32CA0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04B32C70
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32C60 NtCreateKey,LdrInitializeThunk,4_2_04B32C60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04B32DF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32DD0 NtDelayExecution,LdrInitializeThunk,4_2_04B32DD0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04B32D10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04B32EA0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32FE0 NtCreateFile,LdrInitializeThunk,4_2_04B32FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32F30 NtCreateSection,LdrInitializeThunk,4_2_04B32F30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32AD0 NtReadFile,LdrInitializeThunk,4_2_04B32AD0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04B32BF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32BE0 NtQueryValueKey,LdrInitializeThunk,4_2_04B32BE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32B60 NtClose,LdrInitializeThunk,4_2_04B32B60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B335C0 NtCreateMutant,LdrInitializeThunk,4_2_04B335C0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B34650 NtSuspendThread,4_2_04B34650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B34340 NtSetContextThread,4_2_04B34340
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32CF0 NtOpenProcess,4_2_04B32CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32CC0 NtQueryVirtualMemory,4_2_04B32CC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32C00 NtQueryInformationProcess,4_2_04B32C00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32DB0 NtEnumerateKey,4_2_04B32DB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32D30 NtUnmapViewOfSection,4_2_04B32D30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32D00 NtSetInformationFile,4_2_04B32D00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32E80 NtReadVirtualMemory,4_2_04B32E80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32EE0 NtQueueApcThread,4_2_04B32EE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32E30 NtWriteVirtualMemory,4_2_04B32E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32FB0 NtResumeThread,4_2_04B32FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32FA0 NtQuerySection,4_2_04B32FA0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32F90 NtProtectVirtualMemory,4_2_04B32F90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32F60 NtCreateProcessEx,4_2_04B32F60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32AB0 NtWaitForSingleObject,4_2_04B32AB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32AF0 NtWriteFile,4_2_04B32AF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32BA0 NtEnumerateValueKey,4_2_04B32BA0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B32B80 NtQueryInformationFile,4_2_04B32B80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B33090 NtSetValueKey,4_2_04B33090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B33010 NtOpenDirectoryObject,4_2_04B33010
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B33D10 NtOpenProcessToken,4_2_04B33D10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B33D70 NtOpenThread,4_2_04B33D70
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B339B0 NtGetContextThread,4_2_04B339B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02ABA3E0 NtReadFile,4_2_02ABA3E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02ABA330 NtCreateFile,4_2_02ABA330
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02ABA460 NtClose,4_2_02ABA460
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02ABA510 NtAllocateVirtualMemory,4_2_02ABA510
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02ABA383 NtCreateFile,4_2_02ABA383
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02ABA32C NtCreateFile,4_2_02ABA32C
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00AEA1EF
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AD8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00AD8310
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00AE51BD
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AAD9750_2_00AAD975
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA21C50_2_00AA21C5
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB62D20_2_00AB62D2
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00B003DA0_2_00B003DA
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB242E0_2_00AB242E
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA25FA0_2_00AA25FA
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A8E6A00_2_00A8E6A0
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A966E10_2_00A966E1
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00ADE6160_2_00ADE616
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB878F0_2_00AB878F
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE88890_2_00AE8889
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A988080_2_00A98808
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00B008570_2_00B00857
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB68440_2_00AB6844
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AACB210_2_00AACB21
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB6DB60_2_00AB6DB6
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A96F9E0_2_00A96F9E
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A930300_2_00A93030
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA31870_2_00AA3187
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AAF1D90_2_00AAF1D9
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A812870_2_00A81287
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA14840_2_00AA1484
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A955200_2_00A95520
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA76960_2_00AA7696
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A957600_2_00A95760
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA19780_2_00AA1978
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB9AB50_2_00AB9AB5
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A8FCE00_2_00A8FCE0
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AABDA60_2_00AABDA6
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA1D900_2_00AA1D90
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00B07DDB0_2_00B07DDB
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A93FE00_2_00A93FE0
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A8DF000_2_00A8DF00
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_012636000_2_01263600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC02C02_2_02FC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE02742_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030003E62_2_030003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F02_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA3522_2_02FFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030001AA2_2_030001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD20002_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF81CC2_2_02FF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF41A22_2_02FF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC81582_2_02FC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA1182_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F301002_2_02F30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C6E02_2_02F5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C02_2_02F3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F407702_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F647502_2_02F64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEE4F62_2_02FEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030005912_2_03000591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF24462_2_02FF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE44202_2_02FE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F405352_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA802_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF6BD72_2_02FF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB402_2_02FFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E8F02_2_02F6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F268B82_2_02F268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300A9A62_2_0300A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4A8402_2_02F4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F428402_2_02F42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A02_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F569622_2_02F56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEEDB2_2_02FFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52E902_2_02F52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFCE932_2_02FFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40E592_2_02F40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEE262_2_02FFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4CFE02_2_02F4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32FC82_2_02F32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBEFA02_2_02FBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4F402_2_02FB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60F302_2_02F60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE2F302_2_02FE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F82F282_2_02F82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30CF22_2_02F30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0CB52_2_02FE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40C002_2_02F40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3ADE02_2_02F3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F58DBF2_2_02F58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDCD1F2_2_02FDCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4AD002_2_02F4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE12ED2_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B2C02_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F452A02_2_02F452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F8739A2_2_02F8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2D34C2_2_02F2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF132D2_2_02FF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70E92_2_02FF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF0E02_2_02FFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEF0CC2_2_02FEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F470C02_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B16B2_2_0300B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4B1B02_2_02F4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2F1722_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7516C2_2_02F7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF16CC2_2_02FF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F856302_2_02F85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF7B02_2_02FFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F314602_2_02F31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF43F2_2_02FFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030095C32_2_030095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD5B02_2_02FDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF75712_2_02FF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEDAC62_2_02FEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDDAAC2_2_02FDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F85AA02_2_02F85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE1AA32_2_02FE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB3A6C2_2_02FB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFA492_2_02FFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7A462_2_02FF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB5BF02_2_02FB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7DBF92_2_02F7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FB802_2_02F5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFB762_2_02FFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F438E02_2_02F438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAD8002_2_02FAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F499502_2_02F49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B9502_2_02F5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD59102_2_02FD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F49EB02_2_02F49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD22_2_02F03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD52_2_02F03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFFB12_2_02FFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F41F922_2_02F41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFF092_2_02FFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFCF22_2_02FFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB9C322_2_02FB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FDC02_2_02F5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7D732_2_02FF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1D5A2_2_02FF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F43D402_2_02F43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034E7A42_2_0034E7A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00332D902_2_00332D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00332D872_2_00332D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034EDDB2_2_0034EDDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00332FB02_2_00332FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003310302_2_00331030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00339E602_2_00339E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00339E5C2_2_00339E5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034DF132_2_0034DF13
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEA0362_2_02DEA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEB2322_2_02DEB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE10822_2_02DE1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEE5CD2_2_02DEE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE5B322_2_02DE5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE5B302_2_02DE5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE89122_2_02DE8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DE2D022_2_02DE2D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0B4442323_2_0B444232
          Source: C:\Windows\explorer.exeCode function: 3_2_0B43BD023_2_0B43BD02
          Source: C:\Windows\explorer.exeCode function: 3_2_0B4419123_2_0B441912
          Source: C:\Windows\explorer.exeCode function: 3_2_0B43EB323_2_0B43EB32
          Source: C:\Windows\explorer.exeCode function: 3_2_0B43EB303_2_0B43EB30
          Source: C:\Windows\explorer.exeCode function: 3_2_0B4475CD3_2_0B4475CD
          Source: C:\Windows\explorer.exeCode function: 3_2_0B4430363_2_0B443036
          Source: C:\Windows\explorer.exeCode function: 3_2_0B43A0823_2_0B43A082
          Source: C:\Windows\explorer.exeCode function: 3_2_0E42E2323_2_0E42E232
          Source: C:\Windows\explorer.exeCode function: 3_2_0E428B323_2_0E428B32
          Source: C:\Windows\explorer.exeCode function: 3_2_0E428B303_2_0E428B30
          Source: C:\Windows\explorer.exeCode function: 3_2_0E42D0363_2_0E42D036
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4240823_2_0E424082
          Source: C:\Windows\explorer.exeCode function: 3_2_0E425D023_2_0E425D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0E42B9123_2_0E42B912
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4315CD3_2_0E4315CD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A3F0DB4_2_00A3F0DB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A5C8034_2_00A5C803
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A359504_2_00A35950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A4FCE74_2_00A4FCE7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A52FD34_2_00A52FD3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A447024_2_00A44702
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BAE4F64_2_04BAE4F6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BA44204_2_04BA4420
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB24464_2_04BB2446
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BC05914_2_04BC0591
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B005354_2_04B00535
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B1C6E04_2_04B1C6E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AFC7C04_2_04AFC7C0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B007704_2_04B00770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B247504_2_04B24750
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B920004_2_04B92000
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BC01AA4_2_04BC01AA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB41A24_2_04BB41A2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB81CC4_2_04BB81CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B9A1184_2_04B9A118
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AF01004_2_04AF0100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B881584_2_04B88158
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B802C04_2_04B802C0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BA02744_2_04BA0274
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B0E3F04_2_04B0E3F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BC03E64_2_04BC03E6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBA3524_2_04BBA352
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BA0CB54_2_04BA0CB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AF0CF24_2_04AF0CF2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B00C004_2_04B00C00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B18DBF4_2_04B18DBF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AFADE04_2_04AFADE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B9CD1F4_2_04B9CD1F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B0AD004_2_04B0AD00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B12E904_2_04B12E90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBCE934_2_04BBCE93
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBEEDB4_2_04BBEEDB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBEE264_2_04BBEE26
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B00E594_2_04B00E59
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B7EFA04_2_04B7EFA0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B0CFE04_2_04B0CFE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AF2FC84_2_04AF2FC8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B20F304_2_04B20F30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BA2F304_2_04BA2F30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B42F284_2_04B42F28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B74F404_2_04B74F40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AE68B84_2_04AE68B8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B2E8F04_2_04B2E8F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B0A8404_2_04B0A840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B028404_2_04B02840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B029A04_2_04B029A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BCA9A64_2_04BCA9A6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B169624_2_04B16962
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AFEA804_2_04AFEA80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB6BD74_2_04BB6BD7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBAB404_2_04BBAB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBF43F4_2_04BBF43F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AF14604_2_04AF1460
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B9D5B04_2_04B9D5B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BC95C34_2_04BC95C3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB75714_2_04BB7571
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB16CC4_2_04BB16CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B456304_2_04B45630
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBF7B04_2_04BBF7B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB70E94_2_04BB70E9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBF0E04_2_04BBF0E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B070C04_2_04B070C0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BAF0CC4_2_04BAF0CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B0B1B04_2_04B0B1B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BCB16B4_2_04BCB16B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AEF1724_2_04AEF172
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B3516C4_2_04B3516C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B052A04_2_04B052A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BA12ED4_2_04BA12ED
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B1B2C04_2_04B1B2C0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B4739A4_2_04B4739A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB132D4_2_04BB132D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AED34C4_2_04AED34C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBFCF24_2_04BBFCF2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B79C324_2_04B79C32
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B1FDC04_2_04B1FDC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB7D734_2_04BB7D73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB1D5A4_2_04BB1D5A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B03D404_2_04B03D40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B09EB04_2_04B09EB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBFFB14_2_04BBFFB1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B01F924_2_04B01F92
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AC3FD54_2_04AC3FD5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AC3FD24_2_04AC3FD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBFF094_2_04BBFF09
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B038E04_2_04B038E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B6D8004_2_04B6D800
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B959104_2_04B95910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B099504_2_04B09950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B1B9504_2_04B1B950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B45AA04_2_04B45AA0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B9DAAC4_2_04B9DAAC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BA1AA34_2_04BA1AA3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BADAC64_2_04BADAC6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B73A6C4_2_04B73A6C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBFA494_2_04BBFA49
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BB7A464_2_04BB7A46
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B1FB804_2_04B1FB80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B75BF04_2_04B75BF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04B3DBF94_2_04B3DBF9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04BBFB764_2_04BBFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 111 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 280 times
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: String function: 00AA8900 appears 42 times
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: String function: 00AA0AE3 appears 70 times
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: String function: 00A87DE1 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 00A219DB appears 34 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04B35130 appears 58 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04B6EA12 appears 86 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 00A299E8 appears 891 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04AEB970 appears 280 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 00A5E523 appears 31 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04B7F290 appears 105 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04B47E54 appears 111 times
          Source: EEcYuuRdFy.exe, 00000000.00000003.857896246.0000000003EED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EEcYuuRdFy.exe
          Source: EEcYuuRdFy.exe, 00000000.00000003.857124424.0000000003D43000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EEcYuuRdFy.exe
          Source: EEcYuuRdFy.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: EEcYuuRdFy.exe PID: 5816, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: msdt.exe PID: 372, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@11/3
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEA06A GetLastError,FormatMessageW,0_2_00AEA06A
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AD81CB AdjustTokenPrivileges,CloseHandle,0_2_00AD81CB
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AD87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00AD87E1
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00AEB3FB
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AFEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00AFEE0D
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AF83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00AF83BB
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A84E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A84E89
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeFile created: C:\Users\user\AppData\Local\Temp\aut94DB.tmpJump to behavior
          Source: EEcYuuRdFy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: EEcYuuRdFy.exeReversingLabs: Detection: 71%
          Source: EEcYuuRdFy.exeVirustotal: Detection: 76%
          Source: unknownProcess created: C:\Users\user\Desktop\EEcYuuRdFy.exe "C:\Users\user\Desktop\EEcYuuRdFy.exe"
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\EEcYuuRdFy.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\EEcYuuRdFy.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: EEcYuuRdFy.exeStatic file information: File size 1059328 > 1048576
          Source: EEcYuuRdFy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: EEcYuuRdFy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: EEcYuuRdFy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: EEcYuuRdFy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: EEcYuuRdFy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: EEcYuuRdFy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: EEcYuuRdFy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: msdt.pdbGCTL source: svchost.exe, 00000002.00000003.914282737.000000000081B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.914282737.000000000087B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.914606299.000000000087B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915606576.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.3307393259.0000000000A10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: EEcYuuRdFy.exe, 00000000.00000003.856044494.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, EEcYuuRdFy.exe, 00000000.00000003.858618222.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915692119.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915692119.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.861398335.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.859381241.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.915315031.0000000004744000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3310130731.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.917480630.000000000490C000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3310130731.0000000004C5E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: EEcYuuRdFy.exe, 00000000.00000003.856044494.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, EEcYuuRdFy.exe, 00000000.00000003.858618222.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.915692119.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915692119.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.861398335.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.859381241.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000004.00000003.915315031.0000000004744000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3310130731.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000004.00000003.917480630.000000000490C000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3310130731.0000000004C5E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3322276434.000000001031F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.3308558483.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3311175907.000000000500F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3322276434.000000001031F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000004.00000002.3308558483.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000004.00000002.3311175907.000000000500F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: msdt.pdb source: svchost.exe, 00000002.00000003.914282737.000000000081B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.914282737.000000000087B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.914606299.000000000087B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.915606576.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000004.00000002.3307393259.0000000000A10000.00000040.80000000.00040000.00000000.sdmp
          Source: EEcYuuRdFy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: EEcYuuRdFy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: EEcYuuRdFy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: EEcYuuRdFy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: EEcYuuRdFy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A84B37 LoadLibraryA,GetProcAddress,0_2_00A84B37
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA8945 push ecx; ret 0_2_00AA8958
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0225F pushad ; ret 2_2_02F027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F027FA pushad ; ret 2_2_02F027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0283D push eax; iretd 2_2_02F02858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx2_2_02F309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F01368 push eax; iretd 2_2_02F01369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034E9AD push dword ptr [D2425A3Fh]; ret 2_2_0034E9CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00346B48 push ebp; retf 2_2_00346B63
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034D485 push eax; ret 2_2_0034D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034D4D2 push eax; ret 2_2_0034D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034D4DB push eax; ret 2_2_0034D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0034D53C push eax; ret 2_2_0034D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00347933 push esi; ret 2_2_00347934
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00339BA9 push ecx; ret 2_2_00339BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00339BA9 push ecx; ret 2_2_00339BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00347D70 push ebx; ret 2_2_00347D7D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00347D9A push ebx; ret 2_2_00347D7D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEEB1E push esp; retn 0000h2_2_02DEEB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEEB02 push esp; retn 0000h2_2_02DEEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02DEE9B5 push esp; retn 0000h2_2_02DEEAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_0B447B02 push esp; retn 0000h3_2_0B447B03
          Source: C:\Windows\explorer.exeCode function: 3_2_0B447B1E push esp; retn 0000h3_2_0B447B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0B4479B5 push esp; retn 0000h3_2_0B447AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_0E431B02 push esp; retn 0000h3_2_0E431B03
          Source: C:\Windows\explorer.exeCode function: 3_2_0E431B1E push esp; retn 0000h3_2_0E431B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4319B5 push esp; retn 0000h3_2_0E431AE7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A100CD push eax; iretd 4_2_00A10189
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A61004 push ecx; ret 4_2_00A61017
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A137EB push eax; iretd 4_2_00A137F1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AC27FA pushad ; ret 4_2_04AC27F9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_04AC225F pushad ; ret 4_2_04AC27F9
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A848D7
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00B05376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B05376
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AA3187
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeAPI/Special instruction interceptor: Address: 1263224
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF9B762D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF9B7630774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF9B7630154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF9B762D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF9B762DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF9B762D1E4
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 339904 second address: 33990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 339B7E second address: 339B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 2AA9904 second address: 2AA990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 2AA9B7E second address: 2AA9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4122Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 5807Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 874Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 875Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 486Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 9485Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-106868
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeAPI coverage: 4.6 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\msdt.exeAPI coverage: 0.6 %
          Source: C:\Windows\explorer.exe TID: 1344Thread sleep count: 4122 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1344Thread sleep time: -8244000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1344Thread sleep count: 5807 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1344Thread sleep time: -11614000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AE445A
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEC6D1 FindFirstFileW,FindClose,0_2_00AEC6D1
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00AEC75C
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AEEF95
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AEF0F2
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AEF3F3
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AE37EF
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AE3B12
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AEBCBC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A560A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00A560A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A4602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,4_2_00A4602D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A41B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,4_2_00A41B92
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A44CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,4_2_00A44CB6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A45C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00A45C20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A5743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00A5743A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A44EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,4_2_00A44EDC
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A849A0
          Source: explorer.exe, 00000003.00000002.3318098515.00000000098F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}CA
          Source: explorer.exe, 00000003.00000000.869152167.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA
          Source: explorer.exe, 00000003.00000000.870165711.00000000031ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000bb'
          Source: explorer.exe, 00000003.00000000.874388249.00000000097CB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000003.00000002.3318032980.0000000009852000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000000.869152167.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000_
          Source: explorer.exe, 00000003.00000003.2638401511.000000000974B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00_
          Source: explorer.exe, 00000003.00000000.874388249.00000000097CB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000003.00000000.873724317.00000000095B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316598131.00000000095B2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWt mouse
          Source: explorer.exe, 00000003.00000000.870165711.00000000031A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001
          Source: explorer.exe, 00000003.00000000.873724317.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2638401511.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316598131.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.873724317.00000000096DF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.870165711.00000000031A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
          Source: explorer.exe, 00000003.00000003.2643601399.000000000984F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000003.00000000.869152167.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ji
          Source: explorer.exe, 00000003.00000000.869152167.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o
          Source: explorer.exe, 00000003.00000000.874388249.00000000097CB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.871577564.0000000007386000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeAPI call chain: ExitProcess graph end nodegraph_0-104227
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeAPI call chain: ExitProcess graph end nodegraph_0-104417
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AD0 NtReadFile,LdrInitializeThunk,2_2_02F72AD0
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AF3F09 BlockInput,0_2_00AF3F09
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A83B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A83B3A
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00AB5A7C
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A84B37 LoadLibraryA,GetProcAddress,0_2_00A84B37
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_01263490 mov eax, dword ptr fs:[00000030h]0_2_01263490
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_012634F0 mov eax, dword ptr fs:[00000030h]0_2_012634F0
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_01261E70 mov eax, dword ptr fs:[00000030h]0_2_01261E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov ecx, dword ptr fs:[00000030h]2_2_03008324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300634F mov eax, dword ptr fs:[00000030h]2_2_0300634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]2_2_02F402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]2_2_02F402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]2_2_02F2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]2_2_02F2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]2_2_02F36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]2_2_02FEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]2_2_02FEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]2_2_02FB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]2_2_02FB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]2_2_02F2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]2_2_02F663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]2_2_02FDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]2_2_02FEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]2_2_02FB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300625D mov eax, dword ptr fs:[00000030h]2_2_0300625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]2_2_02FD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]2_2_02FFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h]2_2_02FD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030062D6 mov eax, dword ptr fs:[00000030h]2_2_030062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]2_2_02F2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]2_2_02F50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]2_2_02F2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]2_2_02F720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_02F2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]2_2_02F380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]2_2_02FB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]2_2_02FB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]2_2_02FF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]2_2_02FF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F280A0 mov eax, dword ptr fs:[00000030h]2_2_02F280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]2_2_02FC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]2_2_03004164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]2_2_03004164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]2_2_02F3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]2_2_02F5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]2_2_02F32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]2_2_02FB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]2_2_02FC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]2_2_02F2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]2_2_02F2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]2_2_030061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]2_2_02FB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]2_2_02F601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]2_2_02F70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]2_2_02F2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]2_2_02FC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]2_2_02F60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]2_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]2_2_02FF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_02F6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]2_2_02F6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]2_2_02F666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]2_2_02F6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]2_2_02F62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]2_2_02F4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]2_2_02F4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]2_2_02F66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]2_2_02F68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]2_2_02F3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]2_2_02F72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]2_2_02FAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]2_2_02FBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]2_2_02F3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]2_2_02FB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]2_2_02F307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE47A0 mov eax, dword ptr fs:[00000030h]2_2_02FE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]2_2_02FD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]2_2_02F38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]2_2_02F30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]2_2_02FBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]2_2_02FB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]2_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]2_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]2_2_02FAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]2_2_02F30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]2_2_02F60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]2_2_02F6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]2_2_02F304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]2_2_02F644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]2_2_02FBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]2_2_02F364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA49A mov eax, dword ptr fs:[00000030h]2_2_02FEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]2_2_02FBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA456 mov eax, dword ptr fs:[00000030h]2_2_02FEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]2_2_02F2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]2_2_02F5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]2_2_02F6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]2_2_02F2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]2_2_02F325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]2_2_02F365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]2_2_02F6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]2_2_02F32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]2_2_02F32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]2_2_02F64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]2_2_02FC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004B00 mov eax, dword ptr fs:[00000030h]2_2_03004B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]2_2_02F30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]2_2_02F86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]2_2_02F68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEA60 mov eax, dword ptr fs:[00000030h]2_2_02FDEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]2_2_02F6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]2_2_02F6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]2_2_02F5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]2_2_02FBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]2_2_02F5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]2_2_02FBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]2_2_02FDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]2_2_03004A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]2_2_02F2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28B50 mov eax, dword ptr fs:[00000030h]2_2_02F28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEB50 mov eax, dword ptr fs:[00000030h]2_2_02FDEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]2_2_02FFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]2_2_02FD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]2_2_02FFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]2_2_02F5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004940 mov eax, dword ptr fs:[00000030h]2_2_03004940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]2_2_02FBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]2_2_02F30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]2_2_02F60854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h]2_2_02F42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]2_2_02F6A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]2_2_02FBC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]2_2_02FBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]2_2_02F649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]2_2_02FFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]2_2_02FC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]2_2_02FB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]2_2_02FBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AD80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00AD80A9
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AAA124 SetUnhandledExceptionFilter,0_2_00AAA124
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AAA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AAA155
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A60C80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00A60C80

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 104.16.12.194 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 4056Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 4056Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: A10000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 52B008Jump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AD87B1 LogonUserW,0_2_00AD87B1
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A83B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A83B3A
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A848D7
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AE4C27 mouse_event,0_2_00AE4C27
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\EEcYuuRdFy.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AD7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00AD7CAF
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AD874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AD874B
          Source: EEcYuuRdFy.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: explorer.exe, 00000003.00000000.869494824.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3309111687.0000000001231000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: EEcYuuRdFy.exe, explorer.exe, 00000003.00000000.874388249.000000000988D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3313477471.0000000004810000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.869494824.0000000001230000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.3307674755.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.869494824.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.869152167.0000000000BA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.869494824.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3309111687.0000000001231000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AA862B cpuid 0_2_00AA862B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00A47E50 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree,4_2_00A47E50
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00AB4E87
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AC1E06 GetUserNameW,0_2_00AC1E06
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AB3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00AB3F3A
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00A849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A849A0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: EEcYuuRdFy.exeBinary or memory string: WIN_81
          Source: EEcYuuRdFy.exeBinary or memory string: WIN_XP
          Source: EEcYuuRdFy.exeBinary or memory string: WIN_XPe
          Source: EEcYuuRdFy.exeBinary or memory string: WIN_VISTA
          Source: EEcYuuRdFy.exeBinary or memory string: WIN_7
          Source: EEcYuuRdFy.exeBinary or memory string: WIN_8
          Source: EEcYuuRdFy.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.EEcYuuRdFy.exe.1270000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.330000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.EEcYuuRdFy.exe.1270000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.915507369.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3308943301.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.914859395.0000000000331000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3309113410.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3307781923.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.860385486.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.915462305.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AF6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00AF6283
          Source: C:\Users\user\Desktop\EEcYuuRdFy.exeCode function: 0_2_00AF6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00AF6747

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		22
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS215
          System Information Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script613
          Process Injection          		2
          Valid Accounts          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job613
          Process Injection          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634841 Sample: EEcYuuRdFy.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 34 www.sugatoken.xyz 2->34 36 www.skbdicat.xyz 2->36 38 11 other IPs or domains 2->38 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 7 other signatures 2->50 11 EEcYuuRdFy.exe 4 2->11         started        signatures3 48 Performs DNS queries to domains with low reputation 36->48 process4 signatures5 58 Binary is likely a compiled AutoIt script file 11->58 60 Writes to foreign memory regions 11->60 62 Maps a DLL or memory area into another process 11->62 64 Switches to a custom stack to bypass stack traces 11->64 14 svchost.exe 11->14         started        process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 3 other signatures 14->72 17 explorer.exe 56 1 14->17 injected process8 dnsIp9 28 www.gequiltdesins.shop 104.21.80.156, 49694, 80 CLOUDFLARENETUS United States 17->28 30 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->30 32 target.clickfunnels.com 104.16.12.194, 49689, 80 CLOUDFLARENETUS United States 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 msdt.exe 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.